4689001331300x8020000000000000276792Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x1998C:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000276791Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1998C:\Windows\System32\wbem\WMIC.exe%%19360x108cwmic OS get Version /format:listNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000276790Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x13acC:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000276789Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13acC:\Windows\System32\wbem\WMIC.exe%%19360x108cwmic OS get Caption /format:listNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000276788Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x1928C:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000276787Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1928C:\Windows\System32\wbem\WMIC.exe%%19360x108cC:\Windows\System32\wbem\wmic.exe computersystem get Domain /valueNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000276786Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x1190C:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000276785Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x11b4C:\Windows\System32\wbem\WmiPrvSE.exe%%19360x35cC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNULL SIDAR-WIN-DC$ATTACKRANGE0x3e4C:\Windows\System32\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000276784Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1190C:\Windows\System32\wbem\WMIC.exe%%19360x108cC:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /valueNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 154100x800000000000000044948Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.978{0b642d80-3ac0-65d6-c902-00000000be02}6552C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 154100x800000000000000044947Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.878{0b642d80-3ac0-65d6-c802-00000000be02}5036C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Caption /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 154100x800000000000000044946Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.799{0b642d80-3ac0-65d6-c702-00000000be02}6440C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeC:\Windows\System32\wbem\wmic.exe computersystem get Domain /valueC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 154100x800000000000000044945Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.633{0b642d80-3ac0-65d6-c502-00000000be02}4496C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeC:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /valueC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 4689001331300x8020000000000000426613Securityar-win-2.attackrange.localNT AUTHORITY\NETWORK SERVICEAR-WIN-2$ATTACKRANGE0x3e40x00xa94C:\Windows\System32\wbem\WmiPrvSE.exe 4634001254500x8020000000000000276783Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1d2a593 4627001255400x8020000000000000276782Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1d2a59311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000276781Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x1d2a593KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::156874%%1833---%%18430x0%%1842 4672001254800x8020000000000000276780Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1d2a59SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 410515102150x0708575Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708574Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localcc1fd986-29f9-449f-963e-e75084a741d22b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708573Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708572Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708571Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localcc1fd986-29f9-449f-963e-e75084a741d22b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708570Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptcc1fd986-29f9-449f-963e-e75084a741d2 410615103150x0708569Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708568Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708567Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local75e0a0c6-9b02-4980-9f6e-cbf3993dda772b535b4c-a403-4565-9d75-b1fc8c18a9ac 4724001382400x8020000000000000276779Securityar-win-dc.attackrange.localTRUMAN_CLEMENTSATTACKRANGEATTACKRANGE\TRUMAN_CLEMENTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276778Securityar-win-dc.attackrange.local-TRUMAN_CLEMENTSATTACKRANGEATTACKRANGE\TRUMAN_CLEMENTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276777Securityar-win-dc.attackrange.localCECILE_DOWNSATTACKRANGEATTACKRANGE\CECILE_DOWNSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276776Securityar-win-dc.attackrange.local-CECILE_DOWNSATTACKRANGEATTACKRANGE\CECILE_DOWNSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276775Securityar-win-dc.attackrange.localTHADDEUS_TOWNSENDATTACKRANGEATTACKRANGE\THADDEUS_TOWNSENDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276774Securityar-win-dc.attackrange.local-THADDEUS_TOWNSENDATTACKRANGEATTACKRANGE\THADDEUS_TOWNSENDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276773Securityar-win-dc.attackrange.localJOANN_PETERSENATTACKRANGEATTACKRANGE\JOANN_PETERSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276772Securityar-win-dc.attackrange.local-JOANN_PETERSENATTACKRANGEATTACKRANGE\JOANN_PETERSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276771Securityar-win-dc.attackrange.localMARGUERITE_GARCIAATTACKRANGEATTACKRANGE\MARGUERITE_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276770Securityar-win-dc.attackrange.local-MARGUERITE_GARCIAATTACKRANGEATTACKRANGE\MARGUERITE_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276769Securityar-win-dc.attackrange.localJOSEFA_MARSHATTACKRANGEATTACKRANGE\JOSEFA_MARSHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276768Securityar-win-dc.attackrange.local-JOSEFA_MARSHATTACKRANGEATTACKRANGE\JOSEFA_MARSHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276767Securityar-win-dc.attackrange.localPEGGY_WYNNATTACKRANGEATTACKRANGE\PEGGY_WYNNATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276766Securityar-win-dc.attackrange.local-PEGGY_WYNNATTACKRANGEATTACKRANGE\PEGGY_WYNNATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276765Securityar-win-dc.attackrange.localELISEO_CHANATTACKRANGEATTACKRANGE\ELISEO_CHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276764Securityar-win-dc.attackrange.local-ELISEO_CHANATTACKRANGEATTACKRANGE\ELISEO_CHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276763Securityar-win-dc.attackrange.localSASHA_CHRISTENSENATTACKRANGEATTACKRANGE\SASHA_CHRISTENSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276762Securityar-win-dc.attackrange.local-SASHA_CHRISTENSENATTACKRANGEATTACKRANGE\SASHA_CHRISTENSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276761Securityar-win-dc.attackrange.localBRANDEN_FROSTATTACKRANGEATTACKRANGE\BRANDEN_FROSTATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276760Securityar-win-dc.attackrange.local-BRANDEN_FROSTATTACKRANGEATTACKRANGE\BRANDEN_FROSTATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276759Securityar-win-dc.attackrange.localNATALIA_RODRIGUEZATTACKRANGEATTACKRANGE\NATALIA_RODRIGUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276758Securityar-win-dc.attackrange.local-NATALIA_RODRIGUEZATTACKRANGEATTACKRANGE\NATALIA_RODRIGUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276757Securityar-win-dc.attackrange.localFAY_HOLCOMBATTACKRANGEATTACKRANGE\FAY_HOLCOMBATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276756Securityar-win-dc.attackrange.local-FAY_HOLCOMBATTACKRANGEATTACKRANGE\FAY_HOLCOMBATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276755Securityar-win-dc.attackrange.localROBT_VINSONATTACKRANGEATTACKRANGE\ROBT_VINSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276754Securityar-win-dc.attackrange.local-ROBT_VINSONATTACKRANGEATTACKRANGE\ROBT_VINSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276753Securityar-win-dc.attackrange.localMARYLOU_ORRATTACKRANGEATTACKRANGE\MARYLOU_ORRATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276752Securityar-win-dc.attackrange.local-MARYLOU_ORRATTACKRANGEATTACKRANGE\MARYLOU_ORRATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276751Securityar-win-dc.attackrange.localLARRY_ARMSTRONGATTACKRANGEATTACKRANGE\LARRY_ARMSTRONGATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276750Securityar-win-dc.attackrange.local-LARRY_ARMSTRONGATTACKRANGEATTACKRANGE\LARRY_ARMSTRONGATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276749Securityar-win-dc.attackrange.localFRANKIE_COLLIERATTACKRANGEATTACKRANGE\FRANKIE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276748Securityar-win-dc.attackrange.local-FRANKIE_COLLIERATTACKRANGEATTACKRANGE\FRANKIE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276747Securityar-win-dc.attackrange.localCLYDE_DICKERSONATTACKRANGEATTACKRANGE\CLYDE_DICKERSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276746Securityar-win-dc.attackrange.local-CLYDE_DICKERSONATTACKRANGEATTACKRANGE\CLYDE_DICKERSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM--------- 4724001382400x8020000000000000276745Securityar-win-dc.attackrange.localGARY_CARRILLOATTACKRANGEATTACKRANGE\GARY_CARRILLOATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276744Securityar-win-dc.attackrange.local-GARY_CARRILLOATTACKRANGEATTACKRANGE\GARY_CARRILLOATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:21 PM--------- 02/21/2024 18:02:22.675 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=TRUMAN_CLEMENTS@attackrange.local name=TRUMAN_CLEMENTS displayName=TRUMAN_CLEMENTS distinguishedName=CN=TRUMAN_CLEMENTS,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local sn=TRUMAN_CLEMENTS cn=TRUMAN_CLEMENTS Object Details: sAMAccountType=805306368 sAMAccountName=TRUMAN_CLEMENTS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2030 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=977bd7cc-7b6f-4107-84b6-64c8b06c1487 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.46 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82061 uSNCreated=23393 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ID-pinkandbl-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=BA-car-distlist1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=DE-paulaliza-distlist1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=ED-ich-admingroup1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.757 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=TRUMAN_CLEMENTS@attackrange.local name=TRUMAN_CLEMENTS displayName=TRUMAN_CLEMENTS distinguishedName=CN=TRUMAN_CLEMENTS,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local sn=TRUMAN_CLEMENTS cn=TRUMAN_CLEMENTS Object Details: sAMAccountType=805306368 sAMAccountName=TRUMAN_CLEMENTS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2030 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=977bd7cc-7b6f-4107-84b6-64c8b06c1487 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.46 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82061 uSNCreated=23393 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ID-pinkandbl-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=BA-car-distlist1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=DE-paulaliza-distlist1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=ED-ich-admingroup1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.612 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CECILE_DOWNS@attackrange.local name=CECILE_DOWNS displayName=CECILE_DOWNS distinguishedName=CN=CECILE_DOWNS,OU=Devices,OU=OGC,OU=Tier 2,DC=attackrange,DC=local sn=CECILE_DOWNS cn=CECILE_DOWNS Object Details: sAMAccountType=805306368 sAMAccountName=CECILE_DOWNS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2265 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b0f1299a-ef72-4b0d-b5b2-904fdfd1b23b whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:53.38 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82059 uSNCreated=25044 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010101181633.0Z managedObjects=CN=CE-mrv-distlist1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=CE-iva-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local memberOf=CN=WI-1.2-admingroup1,OU=ServiceAccounts,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=EM-car-distlist1,OU=Test,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=41-nen-distlist1,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=CL-azukiki69-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-hormiga02-admingroup1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=JO-luc-distlist1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=RO-360-distlist1,OU=Groups,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=LA-cjgcdmbbd-distlist1,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=Certificate Service DCOM Access,CN=Builtin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.710 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CECILE_DOWNS@attackrange.local name=CECILE_DOWNS displayName=CECILE_DOWNS distinguishedName=CN=CECILE_DOWNS,OU=Devices,OU=OGC,OU=Tier 2,DC=attackrange,DC=local sn=CECILE_DOWNS cn=CECILE_DOWNS Object Details: sAMAccountType=805306368 sAMAccountName=CECILE_DOWNS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2265 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b0f1299a-ef72-4b0d-b5b2-904fdfd1b23b whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:53.38 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82059 uSNCreated=25044 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010101181633.0Z managedObjects=CN=CE-mrv-distlist1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=CE-iva-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local memberOf=CN=WI-1.2-admingroup1,OU=ServiceAccounts,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=EM-car-distlist1,OU=Test,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=41-nen-distlist1,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=CL-azukiki69-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-hormiga02-admingroup1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=JO-luc-distlist1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=RO-360-distlist1,OU=Groups,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=LA-cjgcdmbbd-distlist1,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=Certificate Service DCOM Access,CN=Builtin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.581 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=THADDEUS_TOWNSEND@attackrange.local name=THADDEUS_TOWNSEND displayName=THADDEUS_TOWNSEND distinguishedName=CN=THADDEUS_TOWNSEND,OU=GOO,OU=Tier 2,DC=attackrange,DC=local sn=THADDEUS_TOWNSEND cn=THADDEUS_TOWNSEND Object Details: sAMAccountType=805306368 sAMAccountName=THADDEUS_TOWNSEND logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1535 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=9ee3f21f-778f-4619-af72-15f3d2bb6f8c whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:50.53 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82057 uSNCreated=19913 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=CO-909469223-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MO-arabe1987-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=DA-oma-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=AM-ricardito-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=YO-ame197979-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=HE-JESUS0123-admingroup1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=BE-compilaci-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=41-ACUARIO22-distlist1,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.663 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=THADDEUS_TOWNSEND@attackrange.local name=THADDEUS_TOWNSEND displayName=THADDEUS_TOWNSEND distinguishedName=CN=THADDEUS_TOWNSEND,OU=GOO,OU=Tier 2,DC=attackrange,DC=local sn=THADDEUS_TOWNSEND cn=THADDEUS_TOWNSEND Object Details: sAMAccountType=805306368 sAMAccountName=THADDEUS_TOWNSEND logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1535 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=9ee3f21f-778f-4619-af72-15f3d2bb6f8c whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:50.53 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82057 uSNCreated=19913 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=CO-909469223-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MO-arabe1987-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=DA-oma-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=AM-ricardito-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=YO-ame197979-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=HE-JESUS0123-admingroup1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=BE-compilaci-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=41-ACUARIO22-distlist1,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.632 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=JOANN_PETERSEN@attackrange.local name=JOANN_PETERSEN displayName=JOANN_PETERSEN distinguishedName=CN=JOANN_PETERSEN,OU=Test,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=JOANN_PETERSEN cn=JOANN_PETERSEN Object Details: sAMAccountType=805306368 sAMAccountName=JOANN_PETERSEN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1227 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b80a668a-2741-4835-b05b-17e311084866 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:49.37 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82055 uSNCreated=17746 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=YE-hay-distlist1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=ED-110-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.534 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=JOANN_PETERSEN@attackrange.local name=JOANN_PETERSEN displayName=JOANN_PETERSEN distinguishedName=CN=JOANN_PETERSEN,OU=Test,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=JOANN_PETERSEN cn=JOANN_PETERSEN Object Details: sAMAccountType=805306368 sAMAccountName=JOANN_PETERSEN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1227 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b80a668a-2741-4835-b05b-17e311084866 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:49.37 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82055 uSNCreated=17746 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=YE-hay-distlist1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=ED-110-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.487 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARGUERITE_GARCIA@attackrange.local name=MARGUERITE_GARCIA displayName=MARGUERITE_GARCIA distinguishedName=CN=MARGUERITE_GARCIA,OU=Groups,OU=TST,OU=Stage,DC=attackrange,DC=local sn=MARGUERITE_GARCIA cn=MARGUERITE_GARCIA Object Details: sAMAccountType=805306368 sAMAccountName=MARGUERITE_GARCIA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1394 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b775cf61-d859-46b5-ae6f-3f8043f46533 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:50.18 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82053 uSNCreated=18921 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010101181633.0Z memberOf=CN=AB-arual1103-distlist1,OU=Groups,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=LY-jos-admingroup1,OU=Devices,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=JA-swe-admingroup1,OU=Groups,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TI-1154talis-admingroup1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.570 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARGUERITE_GARCIA@attackrange.local name=MARGUERITE_GARCIA displayName=MARGUERITE_GARCIA distinguishedName=CN=MARGUERITE_GARCIA,OU=Groups,OU=TST,OU=Stage,DC=attackrange,DC=local sn=MARGUERITE_GARCIA cn=MARGUERITE_GARCIA Object Details: sAMAccountType=805306368 sAMAccountName=MARGUERITE_GARCIA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1394 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b775cf61-d859-46b5-ae6f-3f8043f46533 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:50.18 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82053 uSNCreated=18921 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010101181633.0Z memberOf=CN=AB-arual1103-distlist1,OU=Groups,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=LY-jos-admingroup1,OU=Devices,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=JA-swe-admingroup1,OU=Groups,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TI-1154talis-admingroup1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.538 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=JOSEFA_MARSH@attackrange.local name=JOSEFA_MARSH displayName=JOSEFA_MARSH distinguishedName=CN=JOSEFA_MARSH,OU=TST,OU=Tier 2,DC=attackrange,DC=local sn=JOSEFA_MARSH cn=JOSEFA_MARSH Object Details: sAMAccountType=805306368 sAMAccountName=JOSEFA_MARSH logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1508 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=adbddb94-feca-4979-954e-cea466aa0676 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:50.46 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82051 uSNCreated=19723 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z managedObjects=CN=JO-betyluis2-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=RA-320-admingroup1,OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=Remote Management Users,CN=Builtin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.440 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=JOSEFA_MARSH@attackrange.local name=JOSEFA_MARSH displayName=JOSEFA_MARSH distinguishedName=CN=JOSEFA_MARSH,OU=TST,OU=Tier 2,DC=attackrange,DC=local sn=JOSEFA_MARSH cn=JOSEFA_MARSH Object Details: sAMAccountType=805306368 sAMAccountName=JOSEFA_MARSH logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1508 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=adbddb94-feca-4979-954e-cea466aa0676 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:50.46 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82051 uSNCreated=19723 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z managedObjects=CN=JO-betyluis2-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=RA-320-admingroup1,OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=Remote Management Users,CN=Builtin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.507 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=PEGGY_WYNN@attackrange.local name=PEGGY_WYNN displayName=PEGGY_WYNN distinguishedName=CN=PEGGY_WYNN,OU=ServiceAccounts,OU=AWS,OU=Tier 2,DC=attackrange,DC=local sn=PEGGY_WYNN cn=PEGGY_WYNN Object Details: sAMAccountType=805306368 sAMAccountName=PEGGY_WYNN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1930 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=d90e7146-6ac2-4c9b-8bbb-e72bda7b7a37 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.24 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82049 uSNCreated=22691 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ER-mor-distlist1,OU=Groups,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=ME-545631255-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SH-daresadr1-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-ESCRIBEME-admingroup1,OU=Devices,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=VI-mercrefox-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.409 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=PEGGY_WYNN@attackrange.local name=PEGGY_WYNN displayName=PEGGY_WYNN distinguishedName=CN=PEGGY_WYNN,OU=ServiceAccounts,OU=AWS,OU=Tier 2,DC=attackrange,DC=local sn=PEGGY_WYNN cn=PEGGY_WYNN Object Details: sAMAccountType=805306368 sAMAccountName=PEGGY_WYNN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1930 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=d90e7146-6ac2-4c9b-8bbb-e72bda7b7a37 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.24 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82049 uSNCreated=22691 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ER-mor-distlist1,OU=Groups,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=ME-545631255-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SH-daresadr1-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-ESCRIBEME-admingroup1,OU=Devices,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=VI-mercrefox-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.378 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ELISEO_CHAN@attackrange.local name=ELISEO_CHAN displayName=ELISEO_CHAN distinguishedName=CN=ELISEO_CHAN,OU=Grouper-Groups,DC=attackrange,DC=local sn=ELISEO_CHAN cn=ELISEO_CHAN Object Details: sAMAccountType=805306368 sAMAccountName=ELISEO_CHAN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1972 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=c9053b23-fb4e-4b31-ba4c-2a4ed662aec2 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.33 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82047 uSNCreated=22986 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714042433.0Z memberOf=CN=VI-1254guapa-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=LO-503-distlist1,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=MA-ca4-admingroup1,OU=FSR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.460 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ELISEO_CHAN@attackrange.local name=ELISEO_CHAN displayName=ELISEO_CHAN distinguishedName=CN=ELISEO_CHAN,OU=Grouper-Groups,DC=attackrange,DC=local sn=ELISEO_CHAN cn=ELISEO_CHAN Object Details: sAMAccountType=805306368 sAMAccountName=ELISEO_CHAN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1972 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=c9053b23-fb4e-4b31-ba4c-2a4ed662aec2 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.33 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82047 uSNCreated=22986 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714042433.0Z memberOf=CN=VI-1254guapa-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=LO-503-distlist1,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=MA-ca4-admingroup1,OU=FSR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.331 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=SASHA_CHRISTENSEN@attackrange.local name=SASHA_CHRISTENSEN displayName=SASHA_CHRISTENSEN distinguishedName=CN=SASHA_CHRISTENSEN,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local sn=SASHA_CHRISTENSEN cn=SASHA_CHRISTENSEN Object Details: sAMAccountType=805306368 sAMAccountName=SASHA_CHRISTENSEN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2652 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=e04682bf-9308-4716-82a5-0d247bac53fa whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:55.01 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82045 uSNCreated=27762 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=FR-af0ck1z91-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=NA-pri-admingroup1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.429 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=SASHA_CHRISTENSEN@attackrange.local name=SASHA_CHRISTENSEN displayName=SASHA_CHRISTENSEN distinguishedName=CN=SASHA_CHRISTENSEN,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local sn=SASHA_CHRISTENSEN cn=SASHA_CHRISTENSEN Object Details: sAMAccountType=805306368 sAMAccountName=SASHA_CHRISTENSEN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2652 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=e04682bf-9308-4716-82a5-0d247bac53fa whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:55.01 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82045 uSNCreated=27762 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=FR-af0ck1z91-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=NA-pri-admingroup1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.285 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BRANDEN_FROST@attackrange.local name=BRANDEN_FROST displayName=BRANDEN_FROST distinguishedName=CN=BRANDEN_FROST,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local sn=BRANDEN_FROST cn=BRANDEN_FROST Object Details: sAMAccountType=805306368 sAMAccountName=BRANDEN_FROST logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2216 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=62bdabb4-2cb2-43a6-b284-b81bcc17c3f0 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:53.27 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82043 uSNCreated=24699 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=BR-jos-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local memberOf=CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=AN-mar-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=DE-mar-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=DW-gelsomina-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=VA-sil-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=CL-141-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.382 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BRANDEN_FROST@attackrange.local name=BRANDEN_FROST displayName=BRANDEN_FROST distinguishedName=CN=BRANDEN_FROST,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local sn=BRANDEN_FROST cn=BRANDEN_FROST Object Details: sAMAccountType=805306368 sAMAccountName=BRANDEN_FROST logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2216 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=62bdabb4-2cb2-43a6-b284-b81bcc17c3f0 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:53.27 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82043 uSNCreated=24699 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=BR-jos-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local memberOf=CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=AN-mar-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=DE-mar-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=DW-gelsomina-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=VA-sil-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=CL-141-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.335 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=NATALIA_RODRIGUEZ@attackrange.local name=NATALIA_RODRIGUEZ displayName=NATALIA_RODRIGUEZ distinguishedName=CN=NATALIA_RODRIGUEZ,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local sn=NATALIA_RODRIGUEZ cn=NATALIA_RODRIGUEZ Object Details: sAMAccountType=805306368 sAMAccountName=NATALIA_RODRIGUEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3419 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=d7ab2901-a24c-4a33-b71e-d59896b627fc whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:57.35 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82041 uSNCreated=33153 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=QU-aur-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.237 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=NATALIA_RODRIGUEZ@attackrange.local name=NATALIA_RODRIGUEZ displayName=NATALIA_RODRIGUEZ distinguishedName=CN=NATALIA_RODRIGUEZ,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local sn=NATALIA_RODRIGUEZ cn=NATALIA_RODRIGUEZ Object Details: sAMAccountType=805306368 sAMAccountName=NATALIA_RODRIGUEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3419 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=d7ab2901-a24c-4a33-b71e-d59896b627fc whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:57.35 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82041 uSNCreated=33153 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=QU-aur-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.190 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FAY_HOLCOMB@attackrange.local name=FAY_HOLCOMB displayName=FAY_HOLCOMB distinguishedName=CN=FAY_HOLCOMB,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local sn=FAY_HOLCOMB cn=FAY_HOLCOMB Object Details: sAMAccountType=805306368 sAMAccountName=FAY_HOLCOMB logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2234 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=7c620f57-4749-476b-9722-255919ff4dd2 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:53.31 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82039 uSNCreated=24826 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=HO-pum-distlist1,OU=Test,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mus-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=VI-eug-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=NA-memyselfi-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=MA-776-distlist1,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.159 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ROBT_VINSON@attackrange.local name=ROBT_VINSON displayName=ROBT_VINSON distinguishedName=CN=ROBT_VINSON,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=ROBT_VINSON cn=ROBT_VINSON Object Details: sAMAccountType=805306368 sAMAccountName=ROBT_VINSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1872 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=24a604fd-799f-40e5-836b-54f5251dff02 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.09 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82037 uSNCreated=22284 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=CA-mor-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=DU-jos-distlist1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=LA-bil-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-yah-distlist1,OU=Devices,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=JO-gar-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=ID-572-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=RU-270-admingroup1,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.112 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARYLOU_ORR@attackrange.local name=MARYLOU_ORR displayName=MARYLOU_ORR distinguishedName=CN=MARYLOU_ORR,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=MARYLOU_ORR cn=MARYLOU_ORR Object Details: sAMAccountType=805306368 sAMAccountName=MARYLOU_ORR logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1595 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=72b79fa7-b0ae-45e0-acf5-ef321d6f7d62 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:51.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82035 uSNCreated=20334 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=BE-pau-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=ER-bal-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=CO-bellotali-admingroup1,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=TR-260-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=LA-amoadrake-admingroup1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=AU-chi-admingroup1,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=YO-aldo18696-admingroup1,OU=Devices,OU=AWS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.081 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LARRY_ARMSTRONG@attackrange.local name=LARRY_ARMSTRONG displayName=LARRY_ARMSTRONG distinguishedName=CN=LARRY_ARMSTRONG,OU=FIN,OU=Tier 1,DC=attackrange,DC=local sn=LARRY_ARMSTRONG cn=LARRY_ARMSTRONG Object Details: sAMAccountType=805306368 sAMAccountName=LARRY_ARMSTRONG logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3528 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=5390da29-1743-47e7-a12f-351422ddee97 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:57.58 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82033 uSNCreated=33920 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=MA-elemarioe-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=BR-14omar09t-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-20Mayo199-distlist1,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=DE-bou-distlist1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AU-her-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=HE-cue-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.035 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FRANKIE_COLLIER@attackrange.local name=FRANKIE_COLLIER displayName=FRANKIE_COLLIER distinguishedName=CN=FRANKIE_COLLIER,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local sn=FRANKIE_COLLIER cn=FRANKIE_COLLIER Object Details: sAMAccountType=805306368 sAMAccountName=FRANKIE_COLLIER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2691 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=dfafbd08-6a48-4b67-bf51-bcd3aeabd9f7 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:55.09 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82031 uSNCreated=28035 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=JA-der-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=AV-163-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=JA-patitomoj-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RE-3hotmail3-admingroup1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=RA-albertito-admingroup1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AN-izzie3331-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.288 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FAY_HOLCOMB@attackrange.local name=FAY_HOLCOMB displayName=FAY_HOLCOMB distinguishedName=CN=FAY_HOLCOMB,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local sn=FAY_HOLCOMB cn=FAY_HOLCOMB Object Details: sAMAccountType=805306368 sAMAccountName=FAY_HOLCOMB logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2234 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=7c620f57-4749-476b-9722-255919ff4dd2 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:53.31 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82039 uSNCreated=24826 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=HO-pum-distlist1,OU=Test,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mus-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=VI-eug-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=NA-memyselfi-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=MA-776-distlist1,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.257 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ROBT_VINSON@attackrange.local name=ROBT_VINSON displayName=ROBT_VINSON distinguishedName=CN=ROBT_VINSON,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=ROBT_VINSON cn=ROBT_VINSON Object Details: sAMAccountType=805306368 sAMAccountName=ROBT_VINSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1872 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=24a604fd-799f-40e5-836b-54f5251dff02 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:52.09 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82037 uSNCreated=22284 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=CA-mor-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=DU-jos-distlist1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=LA-bil-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-yah-distlist1,OU=Devices,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=JO-gar-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=ID-572-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=RU-270-admingroup1,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.209 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARYLOU_ORR@attackrange.local name=MARYLOU_ORR displayName=MARYLOU_ORR distinguishedName=CN=MARYLOU_ORR,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=MARYLOU_ORR cn=MARYLOU_ORR Object Details: sAMAccountType=805306368 sAMAccountName=MARYLOU_ORR logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1595 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=72b79fa7-b0ae-45e0-acf5-ef321d6f7d62 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:51.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82035 uSNCreated=20334 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=BE-pau-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=ER-bal-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=CO-bellotali-admingroup1,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=TR-260-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=LA-amoadrake-admingroup1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=AU-chi-admingroup1,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=YO-aldo18696-admingroup1,OU=Devices,OU=AWS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.178 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LARRY_ARMSTRONG@attackrange.local name=LARRY_ARMSTRONG displayName=LARRY_ARMSTRONG distinguishedName=CN=LARRY_ARMSTRONG,OU=FIN,OU=Tier 1,DC=attackrange,DC=local sn=LARRY_ARMSTRONG cn=LARRY_ARMSTRONG Object Details: sAMAccountType=805306368 sAMAccountName=LARRY_ARMSTRONG logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3528 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=5390da29-1743-47e7-a12f-351422ddee97 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:57.58 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82033 uSNCreated=33920 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=MA-elemarioe-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=BR-14omar09t-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-20Mayo199-distlist1,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=DE-bou-distlist1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AU-her-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=HE-cue-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.131 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FRANKIE_COLLIER@attackrange.local name=FRANKIE_COLLIER displayName=FRANKIE_COLLIER distinguishedName=CN=FRANKIE_COLLIER,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local sn=FRANKIE_COLLIER cn=FRANKIE_COLLIER Object Details: sAMAccountType=805306368 sAMAccountName=FRANKIE_COLLIER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2691 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=dfafbd08-6a48-4b67-bf51-bcd3aeabd9f7 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:55.09 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82031 uSNCreated=28035 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=JA-der-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=AV-163-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=JA-patitomoj-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RE-3hotmail3-admingroup1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=RA-albertito-admingroup1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AN-izzie3331-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.084 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CLYDE_DICKERSON@attackrange.local name=CLYDE_DICKERSON displayName=CLYDE_DICKERSON distinguishedName=CN=CLYDE_DICKERSON,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local sn=CLYDE_DICKERSON cn=CLYDE_DICKERSON Object Details: sAMAccountType=805306368 sAMAccountName=CLYDE_DICKERSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2604 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=7cc38f7c-9dec-4385-a08e-a64f9502b388 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:54.51 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82029 uSNCreated=27426 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=AL-gui-admingroup1,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=BI-170-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=WE-cab-admingroup1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=LA-cupidon21-distlist1,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:22.022 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GARY_CARRILLO@attackrange.local name=GARY_CARRILLO displayName=GARY_CARRILLO distinguishedName=CN=GARY_CARRILLO,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=GARY_CARRILLO cn=GARY_CARRILLO Object Details: sAMAccountType=805306368 sAMAccountName=GARY_CARRILLO logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2024 primaryGroupID=513 pwdLastSet=06:02.21 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=392e8c32-9f9d-41c2-aacf-5f83212134f7 whenChanged=06:02.21 PM, Wed 02/21/2024 whenCreated=09:52.45 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82027 uSNCreated=23351 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 4724001382400x8020000000000000276743Securityar-win-dc.attackrange.localKRISTY_HERNANDEZATTACKRANGEATTACKRANGE\KRISTY_HERNANDEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276742Securityar-win-dc.attackrange.local-KRISTY_HERNANDEZATTACKRANGEATTACKRANGE\KRISTY_HERNANDEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:21 PM--------- 4724001382400x8020000000000000276741Securityar-win-dc.attackrange.localGERTRUDE_DONALDSONATTACKRANGEATTACKRANGE\GERTRUDE_DONALDSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276740Securityar-win-dc.attackrange.local-GERTRUDE_DONALDSONATTACKRANGEATTACKRANGE\GERTRUDE_DONALDSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:21 PM--------- 4689001331300x8020000000000000426612Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x122cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 02/21/2024 18:02:21.987 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CLYDE_DICKERSON@attackrange.local name=CLYDE_DICKERSON displayName=CLYDE_DICKERSON distinguishedName=CN=CLYDE_DICKERSON,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local sn=CLYDE_DICKERSON cn=CLYDE_DICKERSON Object Details: sAMAccountType=805306368 sAMAccountName=CLYDE_DICKERSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2604 primaryGroupID=513 pwdLastSet=06:02.22 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=7cc38f7c-9dec-4385-a08e-a64f9502b388 whenChanged=06:02.22 PM, Wed 02/21/2024 whenCreated=09:54.51 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82029 uSNCreated=27426 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=AL-gui-admingroup1,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=BI-170-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=WE-cab-admingroup1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=LA-cupidon21-distlist1,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:21.925 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GARY_CARRILLO@attackrange.local name=GARY_CARRILLO displayName=GARY_CARRILLO distinguishedName=CN=GARY_CARRILLO,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=GARY_CARRILLO cn=GARY_CARRILLO Object Details: sAMAccountType=805306368 sAMAccountName=GARY_CARRILLO logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2024 primaryGroupID=513 pwdLastSet=06:02.21 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=392e8c32-9f9d-41c2-aacf-5f83212134f7 whenChanged=06:02.21 PM, Wed 02/21/2024 whenCreated=09:52.45 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82027 uSNCreated=23351 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:21.862 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KRISTY_HERNANDEZ@attackrange.local name=KRISTY_HERNANDEZ displayName=KRISTY_HERNANDEZ distinguishedName=CN=KRISTY_HERNANDEZ,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local sn=KRISTY_HERNANDEZ cn=KRISTY_HERNANDEZ Object Details: sAMAccountType=805306368 sAMAccountName=KRISTY_HERNANDEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1843 primaryGroupID=513 pwdLastSet=06:02.21 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=7fb3a18b-7a0f-4aa0-913b-b58c8460ba39 whenChanged=06:02.21 PM, Wed 02/21/2024 whenCreated=09:52.00 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82025 uSNCreated=22079 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=KR-bwoodchic-distlist1,OU=T0-Devices,OU=Tier 0,OU=Admin,DC=attackrange,DC=local memberOf=CN=LU-ayo-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RI-BET-distlist1,OU=ServiceAccounts,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=FA-lau-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=TO-139680596-admingroup1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=LY-211-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=RE-230-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:21.815 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GERTRUDE_DONALDSON@attackrange.local name=GERTRUDE_DONALDSON displayName=GERTRUDE_DONALDSON distinguishedName=CN=GERTRUDE_DONALDSON,OU=ITS,OU=Tier 2,DC=attackrange,DC=local sn=GERTRUDE_DONALDSON cn=GERTRUDE_DONALDSON Object Details: sAMAccountType=805306368 sAMAccountName=GERTRUDE_DONALDSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2451 primaryGroupID=513 pwdLastSet=06:02.21 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=84f142cf-f1e4-4b00-9dd3-bb69f09ba1d9 whenChanged=06:02.21 PM, Wed 02/21/2024 whenCreated=09:54.19 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82023 uSNCreated=26350 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=BE-100-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=NA-wer-admingroup1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=GE-art-distlist1,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:21.959 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KRISTY_HERNANDEZ@attackrange.local name=KRISTY_HERNANDEZ displayName=KRISTY_HERNANDEZ distinguishedName=CN=KRISTY_HERNANDEZ,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local sn=KRISTY_HERNANDEZ cn=KRISTY_HERNANDEZ Object Details: sAMAccountType=805306368 sAMAccountName=KRISTY_HERNANDEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1843 primaryGroupID=513 pwdLastSet=06:02.21 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=7fb3a18b-7a0f-4aa0-913b-b58c8460ba39 whenChanged=06:02.21 PM, Wed 02/21/2024 whenCreated=09:52.00 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82025 uSNCreated=22079 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=KR-bwoodchic-distlist1,OU=T0-Devices,OU=Tier 0,OU=Admin,DC=attackrange,DC=local memberOf=CN=LU-ayo-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RI-BET-distlist1,OU=ServiceAccounts,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=FA-lau-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=TO-139680596-admingroup1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=LY-211-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=RE-230-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:21.912 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GERTRUDE_DONALDSON@attackrange.local name=GERTRUDE_DONALDSON displayName=GERTRUDE_DONALDSON distinguishedName=CN=GERTRUDE_DONALDSON,OU=ITS,OU=Tier 2,DC=attackrange,DC=local sn=GERTRUDE_DONALDSON cn=GERTRUDE_DONALDSON Object Details: sAMAccountType=805306368 sAMAccountName=GERTRUDE_DONALDSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2451 primaryGroupID=513 pwdLastSet=06:02.21 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=84f142cf-f1e4-4b00-9dd3-bb69f09ba1d9 whenChanged=06:02.21 PM, Wed 02/21/2024 whenCreated=09:54.19 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82023 uSNCreated=26350 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=BE-100-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=NA-wer-admingroup1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=GE-art-distlist1,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 154100x800000000000000042795Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:21.093{501DA29B-3AAD-65D6-8002-000000004903}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000426611Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x122cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000426610Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000426609Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000044944Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:20.548{0b642d80-3aac-65d6-c402-00000000be02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 410615103150x0708566Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708565Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708564Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local75e0a0c6-9b02-4980-9f6e-cbf3993dda772b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708563Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Define the new password - ensure to follow your organization's password policy $newPassword = ConvertTo-SecureString "NewP@ssw0rd123!" -AsPlainText -Force # Get 20 random user accounts $randomUsers = Get-ADUser -Filter * -Properties PasswordLastSet | Get-Random -Count 20 # Loop through each user and update the password foreach ($user in $randomUsers) { try { Set-ADAccountPassword $user.SamAccountName -NewPassword $newPassword -Reset Write-Host "Password updated for user: $($user.SamAccountName)" } catch { Write-Host "Failed to update password for user: $($user.SamAccountName)" } } # Output the users whose passwords were updated Write-Host "Updated passwords for the following users:" $randomUsers | Select-Object SamAccountName 75e0a0c6-9b02-4980-9f6e-cbf3993dda77 410615103150x0708562Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4689001331300x8020000000000000276739Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x8a8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000276738Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8a8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000276737Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xf6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000042794Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:20.339{501DA29B-3AAC-65D6-7F02-000000004903}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000042793Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:19.667{501DA29B-3AAB-65D6-7E02-000000004903}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000276736Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000276735Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x13b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000276734Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000044943Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:19.875{0b642d80-3aab-65d6-c302-00000000be02}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000044942Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:19.123{0b642d80-3aab-65d6-c202-00000000be02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000426608Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x117cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000426607Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x117cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000426606Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfa0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000042792Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:18.916{501DA29B-3AAA-65D6-7D02-000000004903}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000042791Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:18.157{501DA29B-3AAA-65D6-7C02-000000004903}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000426605Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfa0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000426604Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000426603Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000276733Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000276732Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000044941Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:18.346{0b642d80-3aaa-65d6-c102-00000000be02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000276731Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000276730Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000044940Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:17.595{0b642d80-3aa9-65d6-c002-00000000be02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 410515102150x0708561Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708560Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald7ce585c-c1aa-478c-9d65-1a77843ce4c92b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708559Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708558Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708557Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald7ce585c-c1aa-478c-9d65-1a77843ce4c92b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708556Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptd7ce585c-c1aa-478c-9d65-1a77843ce4c9 410615103150x0708555Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708554Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708553Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala0da7b12-fcd4-444e-a45d-14b3126ed3e72b535b4c-a403-4565-9d75-b1fc8c18a9ac 4724001382400x8020000000000000276729Securityar-win-dc.attackrange.localSTACIE_POOLEATTACKRANGEATTACKRANGE\STACIE_POOLEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276728Securityar-win-dc.attackrange.local-STACIE_POOLEATTACKRANGEATTACKRANGE\STACIE_POOLEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276727Securityar-win-dc.attackrange.localNICKOLAS_PITTSATTACKRANGEATTACKRANGE\NICKOLAS_PITTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276726Securityar-win-dc.attackrange.local-NICKOLAS_PITTSATTACKRANGEATTACKRANGE\NICKOLAS_PITTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276725Securityar-win-dc.attackrange.localKIMBERLY_BURGESSATTACKRANGEATTACKRANGE\KIMBERLY_BURGESSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276724Securityar-win-dc.attackrange.local-KIMBERLY_BURGESSATTACKRANGEATTACKRANGE\KIMBERLY_BURGESSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276723Securityar-win-dc.attackrange.localGUILLERMO_STEPHENSATTACKRANGEATTACKRANGE\GUILLERMO_STEPHENSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276722Securityar-win-dc.attackrange.local-GUILLERMO_STEPHENSATTACKRANGEATTACKRANGE\GUILLERMO_STEPHENSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276721Securityar-win-dc.attackrange.localGINA_CAMPBELLATTACKRANGEATTACKRANGE\GINA_CAMPBELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276720Securityar-win-dc.attackrange.local-GINA_CAMPBELLATTACKRANGEATTACKRANGE\GINA_CAMPBELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276719Securityar-win-dc.attackrange.localCALVIN_MORINATTACKRANGEATTACKRANGE\CALVIN_MORINATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276718Securityar-win-dc.attackrange.local-CALVIN_MORINATTACKRANGEATTACKRANGE\CALVIN_MORINATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276717Securityar-win-dc.attackrange.localYOUNG_JOHNSONATTACKRANGEATTACKRANGE\YOUNG_JOHNSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276716Securityar-win-dc.attackrange.local-YOUNG_JOHNSONATTACKRANGEATTACKRANGE\YOUNG_JOHNSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276715Securityar-win-dc.attackrange.localSTEFANIE_DOUGLASATTACKRANGEATTACKRANGE\STEFANIE_DOUGLASATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276714Securityar-win-dc.attackrange.local-STEFANIE_DOUGLASATTACKRANGEATTACKRANGE\STEFANIE_DOUGLASATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276713Securityar-win-dc.attackrange.localMARK_PARKSATTACKRANGEATTACKRANGE\MARK_PARKSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276712Securityar-win-dc.attackrange.local-MARK_PARKSATTACKRANGEATTACKRANGE\MARK_PARKSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276711Securityar-win-dc.attackrange.localWALDO_GATESATTACKRANGEATTACKRANGE\WALDO_GATESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276710Securityar-win-dc.attackrange.local-WALDO_GATESATTACKRANGEATTACKRANGE\WALDO_GATESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276709Securityar-win-dc.attackrange.local6893486226SAATTACKRANGEATTACKRANGE\6893486226SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276708Securityar-win-dc.attackrange.local-6893486226SAATTACKRANGEATTACKRANGE\6893486226SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276707Securityar-win-dc.attackrange.localMARISA_GARCIAATTACKRANGEATTACKRANGE\MARISA_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276706Securityar-win-dc.attackrange.local-MARISA_GARCIAATTACKRANGEATTACKRANGE\MARISA_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276705Securityar-win-dc.attackrange.localISRAEL_CALLAHANATTACKRANGEATTACKRANGE\ISRAEL_CALLAHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276704Securityar-win-dc.attackrange.local-ISRAEL_CALLAHANATTACKRANGEATTACKRANGE\ISRAEL_CALLAHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276703Securityar-win-dc.attackrange.localWILBUR_MCGUIREATTACKRANGEATTACKRANGE\WILBUR_MCGUIREATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276702Securityar-win-dc.attackrange.local-WILBUR_MCGUIREATTACKRANGEATTACKRANGE\WILBUR_MCGUIREATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276701Securityar-win-dc.attackrange.localLOU_STAFFORDATTACKRANGEATTACKRANGE\LOU_STAFFORDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276700Securityar-win-dc.attackrange.local-LOU_STAFFORDATTACKRANGEATTACKRANGE\LOU_STAFFORDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276699Securityar-win-dc.attackrange.localKIP_HEATHATTACKRANGEATTACKRANGE\KIP_HEATHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276698Securityar-win-dc.attackrange.local-KIP_HEATHATTACKRANGEATTACKRANGE\KIP_HEATHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276697Securityar-win-dc.attackrange.localEMILIA_HILLATTACKRANGEATTACKRANGE\EMILIA_HILLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276696Securityar-win-dc.attackrange.local-EMILIA_HILLATTACKRANGEATTACKRANGE\EMILIA_HILLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276695Securityar-win-dc.attackrange.localKATHRINE_COLLIERATTACKRANGEATTACKRANGE\KATHRINE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276694Securityar-win-dc.attackrange.local-KATHRINE_COLLIERATTACKRANGEATTACKRANGE\KATHRINE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276693Securityar-win-dc.attackrange.localKAREEM_MCGEEATTACKRANGEATTACKRANGE\KAREEM_MCGEEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276692Securityar-win-dc.attackrange.local-KAREEM_MCGEEATTACKRANGEATTACKRANGE\KAREEM_MCGEEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM--------- 4724001382400x8020000000000000276691Securityar-win-dc.attackrange.localBARBARA_ONEALATTACKRANGEATTACKRANGE\BARBARA_ONEALATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000276690Securityar-win-dc.attackrange.local-BARBARA_ONEALATTACKRANGEATTACKRANGE\BARBARA_ONEALATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:15 PM--------- 02/21/2024 18:02:16.497 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=STACIE_POOLE@attackrange.local name=STACIE_POOLE displayName=STACIE_POOLE distinguishedName=CN=STACIE_POOLE,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=STACIE_POOLE cn=STACIE_POOLE Object Details: sAMAccountType=805306368 sAMAccountName=STACIE_POOLE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3287 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=49056208-8f06-465a-b338-3fc8bb3c09a8 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:57.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82021 uSNCreated=32223 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ED-LEE-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=MA-ama-admingroup1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.592 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=STACIE_POOLE@attackrange.local name=STACIE_POOLE displayName=STACIE_POOLE distinguishedName=CN=STACIE_POOLE,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=STACIE_POOLE cn=STACIE_POOLE Object Details: sAMAccountType=805306368 sAMAccountName=STACIE_POOLE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3287 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=49056208-8f06-465a-b338-3fc8bb3c09a8 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:57.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82021 uSNCreated=32223 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ED-LEE-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=MA-ama-admingroup1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.480 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=NICKOLAS_PITTS@attackrange.local name=NICKOLAS_PITTS displayName=NICKOLAS_PITTS distinguishedName=CN=NICKOLAS_PITTS,OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local sn=NICKOLAS_PITTS cn=NICKOLAS_PITTS Object Details: sAMAccountType=805306368 sAMAccountName=NICKOLAS_PITTS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1135 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=4d724e00-701c-44f3-8ebe-e32290b2736f whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:49.13 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82019 uSNCreated=17101 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=JA-628-distlist1,OU=Groups,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=AL-MIRAQUEER-distlist1,OU=Groups,OU=AWS,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.576 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=NICKOLAS_PITTS@attackrange.local name=NICKOLAS_PITTS displayName=NICKOLAS_PITTS distinguishedName=CN=NICKOLAS_PITTS,OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local sn=NICKOLAS_PITTS cn=NICKOLAS_PITTS Object Details: sAMAccountType=805306368 sAMAccountName=NICKOLAS_PITTS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1135 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=4d724e00-701c-44f3-8ebe-e32290b2736f whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:49.13 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82019 uSNCreated=17101 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=JA-628-distlist1,OU=Groups,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=AL-MIRAQUEER-distlist1,OU=Groups,OU=AWS,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.449 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KIMBERLY_BURGESS@attackrange.local name=KIMBERLY_BURGESS displayName=KIMBERLY_BURGESS distinguishedName=CN=KIMBERLY_BURGESS,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local sn=KIMBERLY_BURGESS cn=KIMBERLY_BURGESS Object Details: sAMAccountType=805306368 sAMAccountName=KIMBERLY_BURGESS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1870 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b4b2ce73-35f6-4191-8140-efcddc5758b9 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:52.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82017 uSNCreated=22270 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=EU-teamomama-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=ES-superbato-distlist1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.545 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KIMBERLY_BURGESS@attackrange.local name=KIMBERLY_BURGESS displayName=KIMBERLY_BURGESS distinguishedName=CN=KIMBERLY_BURGESS,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local sn=KIMBERLY_BURGESS cn=KIMBERLY_BURGESS Object Details: sAMAccountType=805306368 sAMAccountName=KIMBERLY_BURGESS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1870 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b4b2ce73-35f6-4191-8140-efcddc5758b9 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:52.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82017 uSNCreated=22270 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=EU-teamomama-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=ES-superbato-distlist1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.417 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GUILLERMO_STEPHENS@attackrange.local name=GUILLERMO_STEPHENS displayName=GUILLERMO_STEPHENS distinguishedName=CN=GUILLERMO_STEPHENS,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=GUILLERMO_STEPHENS cn=GUILLERMO_STEPHENS Object Details: sAMAccountType=805306368 sAMAccountName=GUILLERMO_STEPHENS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2271 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=bb0d9b35-cf36-4f98-8f70-e76468f64443 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:53.40 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82015 uSNCreated=25086 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=CH-302-distlist1,OU=ServiceAccounts,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=HU-tomy1703.-distlist1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=BR-sdf-distlist1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=LO-teamolili-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=LI-azu-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.513 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GUILLERMO_STEPHENS@attackrange.local name=GUILLERMO_STEPHENS displayName=GUILLERMO_STEPHENS distinguishedName=CN=GUILLERMO_STEPHENS,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=GUILLERMO_STEPHENS cn=GUILLERMO_STEPHENS Object Details: sAMAccountType=805306368 sAMAccountName=GUILLERMO_STEPHENS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2271 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=bb0d9b35-cf36-4f98-8f70-e76468f64443 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:53.40 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82015 uSNCreated=25086 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=CH-302-distlist1,OU=ServiceAccounts,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=HU-tomy1703.-distlist1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=BR-sdf-distlist1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=LO-teamolili-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=LI-azu-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.386 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GINA_CAMPBELL@attackrange.local name=GINA_CAMPBELL displayName=GINA_CAMPBELL distinguishedName=CN=GINA_CAMPBELL,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local sn=GINA_CAMPBELL cn=GINA_CAMPBELL Object Details: sAMAccountType=805306368 sAMAccountName=GINA_CAMPBELL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1635 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=0b8d0268-f529-4383-b8c7-544842d47b1c whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:51.17 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82013 uSNCreated=20615 instanceType=4 Additional Details: dSCorePropagationData=20240220220330.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.482 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GINA_CAMPBELL@attackrange.local name=GINA_CAMPBELL displayName=GINA_CAMPBELL distinguishedName=CN=GINA_CAMPBELL,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local sn=GINA_CAMPBELL cn=GINA_CAMPBELL Object Details: sAMAccountType=805306368 sAMAccountName=GINA_CAMPBELL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1635 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=0b8d0268-f529-4383-b8c7-544842d47b1c whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:51.17 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82013 uSNCreated=20615 instanceType=4 Additional Details: dSCorePropagationData=20240220220330.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.355 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CALVIN_MORIN@attackrange.local name=CALVIN_MORIN displayName=CALVIN_MORIN distinguishedName=CN=CALVIN_MORIN,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local sn=CALVIN_MORIN cn=CALVIN_MORIN Object Details: sAMAccountType=805306368 sAMAccountName=CALVIN_MORIN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1388 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=e0ab0132-879c-4ea7-8be7-67de81a40643 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:50.17 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82011 uSNCreated=18879 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.451 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CALVIN_MORIN@attackrange.local name=CALVIN_MORIN displayName=CALVIN_MORIN distinguishedName=CN=CALVIN_MORIN,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local sn=CALVIN_MORIN cn=CALVIN_MORIN Object Details: sAMAccountType=805306368 sAMAccountName=CALVIN_MORIN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1388 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=e0ab0132-879c-4ea7-8be7-67de81a40643 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:50.17 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82011 uSNCreated=18879 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.324 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=YOUNG_JOHNSON@attackrange.local name=YOUNG_JOHNSON displayName=YOUNG_JOHNSON distinguishedName=CN=YOUNG_JOHNSON,OU=Devices,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=YOUNG_JOHNSON cn=YOUNG_JOHNSON Object Details: sAMAccountType=805306368 sAMAccountName=YOUNG_JOHNSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1558 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=3b0f6c2d-0277-444c-b25d-08d3a684e3b7 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:50.59 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82009 uSNCreated=20074 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=CA-NOC-distlist1,OU=T1-Accounts,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ulises870-distlist1,OU=Test,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=JE-Morritos7-distlist1,OU=Devices,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=AL-ollin9090-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.420 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=YOUNG_JOHNSON@attackrange.local name=YOUNG_JOHNSON displayName=YOUNG_JOHNSON distinguishedName=CN=YOUNG_JOHNSON,OU=Devices,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=YOUNG_JOHNSON cn=YOUNG_JOHNSON Object Details: sAMAccountType=805306368 sAMAccountName=YOUNG_JOHNSON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1558 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=3b0f6c2d-0277-444c-b25d-08d3a684e3b7 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:50.59 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82009 uSNCreated=20074 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=CA-NOC-distlist1,OU=T1-Accounts,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ulises870-distlist1,OU=Test,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=JE-Morritos7-distlist1,OU=Devices,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=AL-ollin9090-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.292 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=STEFANIE_DOUGLAS@attackrange.local name=STEFANIE_DOUGLAS displayName=STEFANIE_DOUGLAS distinguishedName=CN=STEFANIE_DOUGLAS,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local sn=STEFANIE_DOUGLAS cn=STEFANIE_DOUGLAS Object Details: sAMAccountType=805306368 sAMAccountName=STEFANIE_DOUGLAS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2871 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=dec519ea-a70c-4640-b1ae-a186f898bb11 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:55.47 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82007 uSNCreated=29302 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=RA-magdalena-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=MA-920-distlist1,OU=Deprovisioned,OU=People,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=DO-dre-admingroup1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.388 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=STEFANIE_DOUGLAS@attackrange.local name=STEFANIE_DOUGLAS displayName=STEFANIE_DOUGLAS distinguishedName=CN=STEFANIE_DOUGLAS,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local sn=STEFANIE_DOUGLAS cn=STEFANIE_DOUGLAS Object Details: sAMAccountType=805306368 sAMAccountName=STEFANIE_DOUGLAS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2871 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=dec519ea-a70c-4640-b1ae-a186f898bb11 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:55.47 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82007 uSNCreated=29302 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=RA-magdalena-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=MA-920-distlist1,OU=Deprovisioned,OU=People,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=DO-dre-admingroup1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.277 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARK_PARKS@attackrange.local name=MARK_PARKS displayName=MARK_PARKS distinguishedName=CN=MARK_PARKS,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=MARK_PARKS cn=MARK_PARKS Object Details: sAMAccountType=805306368 sAMAccountName=MARK_PARKS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1875 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=3db831f5-ec52-40a0-9c66-da72db2878b2 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:52.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82005 uSNCreated=22305 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=TO-hakim2002-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=DU-319-admingroup1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=IS-cynthia69-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=VI-AVMM94042-distlist1,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=KI-missaelga-distlist1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=HA-leu-admingroup1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.373 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARK_PARKS@attackrange.local name=MARK_PARKS displayName=MARK_PARKS distinguishedName=CN=MARK_PARKS,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=MARK_PARKS cn=MARK_PARKS Object Details: sAMAccountType=805306368 sAMAccountName=MARK_PARKS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1875 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=3db831f5-ec52-40a0-9c66-da72db2878b2 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:52.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82005 uSNCreated=22305 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=TO-hakim2002-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=DU-319-admingroup1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=IS-cynthia69-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=VI-AVMM94042-distlist1,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=KI-missaelga-distlist1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=HA-leu-admingroup1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.245 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=WALDO_GATES@attackrange.local name=WALDO_GATES displayName=WALDO_GATES distinguishedName=CN=WALDO_GATES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local sn=WALDO_GATES cn=WALDO_GATES Object Details: sAMAccountType=805306368 sAMAccountName=WALDO_GATES logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1127 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=3c67f55f-cceb-43a5-9858-0af398746e19 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:49.11 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82003 uSNCreated=17045 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z servicePrincipalName=MSSQL/HREWVIR1000000 managedObjects=CN=WA-con-distlist1,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.342 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=WALDO_GATES@attackrange.local name=WALDO_GATES displayName=WALDO_GATES distinguishedName=CN=WALDO_GATES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local sn=WALDO_GATES cn=WALDO_GATES Object Details: sAMAccountType=805306368 sAMAccountName=WALDO_GATES logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1127 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=3c67f55f-cceb-43a5-9858-0af398746e19 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:49.11 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82003 uSNCreated=17045 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z servicePrincipalName=MSSQL/HREWVIR1000000 managedObjects=CN=WA-con-distlist1,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.214 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=6893486226SA@attackrange.local name=6893486226SA displayName=6893486226SA distinguishedName=CN=6893486226SA,OU=GOO,OU=Stage,DC=attackrange,DC=local sn=6893486226SA cn=6893486226SA Object Details: sAMAccountType=805306368 sAMAccountName=6893486226SA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2883 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=2b3c077d-c276-4b2d-ba87-13d05565ac25 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:55.49 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82001 uSNCreated=29386 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.310 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=6893486226SA@attackrange.local name=6893486226SA displayName=6893486226SA distinguishedName=CN=6893486226SA,OU=GOO,OU=Stage,DC=attackrange,DC=local sn=6893486226SA cn=6893486226SA Object Details: sAMAccountType=805306368 sAMAccountName=6893486226SA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2883 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=2b3c077d-c276-4b2d-ba87-13d05565ac25 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:55.49 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82001 uSNCreated=29386 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.183 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARISA_GARCIA@attackrange.local name=MARISA_GARCIA displayName=MARISA_GARCIA distinguishedName=CN=MARISA_GARCIA,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local sn=MARISA_GARCIA cn=MARISA_GARCIA Object Details: sAMAccountType=805306368 sAMAccountName=MARISA_GARCIA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2532 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=da944fda-22b6-4d41-a134-a0d763cd5c74 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:54.36 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81999 uSNCreated=26921 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010101181633.0Z memberOf=CN=ER-181-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=RU-031993tra-distlist1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-181019999-distlist1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.279 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARISA_GARCIA@attackrange.local name=MARISA_GARCIA displayName=MARISA_GARCIA distinguishedName=CN=MARISA_GARCIA,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local sn=MARISA_GARCIA cn=MARISA_GARCIA Object Details: sAMAccountType=805306368 sAMAccountName=MARISA_GARCIA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2532 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=da944fda-22b6-4d41-a134-a0d763cd5c74 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:54.36 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81999 uSNCreated=26921 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010101181633.0Z memberOf=CN=ER-181-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=RU-031993tra-distlist1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-181019999-distlist1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.152 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ISRAEL_CALLAHAN@attackrange.local name=ISRAEL_CALLAHAN displayName=ISRAEL_CALLAHAN distinguishedName=CN=ISRAEL_CALLAHAN,OU=FSR,OU=Tier 2,DC=attackrange,DC=local sn=ISRAEL_CALLAHAN cn=ISRAEL_CALLAHAN Object Details: sAMAccountType=805306368 sAMAccountName=ISRAEL_CALLAHAN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2747 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=1dac600a-2bcd-42b1-8510-221f9d132e27 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:55.20 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81997 uSNCreated=28427 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.248 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ISRAEL_CALLAHAN@attackrange.local name=ISRAEL_CALLAHAN displayName=ISRAEL_CALLAHAN distinguishedName=CN=ISRAEL_CALLAHAN,OU=FSR,OU=Tier 2,DC=attackrange,DC=local sn=ISRAEL_CALLAHAN cn=ISRAEL_CALLAHAN Object Details: sAMAccountType=805306368 sAMAccountName=ISRAEL_CALLAHAN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2747 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=1dac600a-2bcd-42b1-8510-221f9d132e27 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:55.20 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81997 uSNCreated=28427 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.217 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=WILBUR_MCGUIRE@attackrange.local name=WILBUR_MCGUIRE displayName=WILBUR_MCGUIRE distinguishedName=CN=WILBUR_MCGUIRE,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local sn=WILBUR_MCGUIRE cn=WILBUR_MCGUIRE Object Details: sAMAccountType=805306368 sAMAccountName=WILBUR_MCGUIRE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2270 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=72d9c334-5ab9-4cae-8fe5-d1a9b171d167 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:53.39 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81995 uSNCreated=25079 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=AN-mil-admingroup1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Esp-distlist1,OU=OGC,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.170 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LOU_STAFFORD@attackrange.local name=LOU_STAFFORD displayName=LOU_STAFFORD distinguishedName=CN=LOU_STAFFORD,OU=People,DC=attackrange,DC=local sn=LOU_STAFFORD cn=LOU_STAFFORD Object Details: sAMAccountType=805306368 sAMAccountName=LOU_STAFFORD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2026 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=ad47e264-096c-47c6-8f37-5da952bacc33 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:52.45 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81993 uSNCreated=23365 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=FA-Demons786-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.138 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KIP_HEATH@attackrange.local name=KIP_HEATH displayName=KIP_HEATH distinguishedName=CN=KIP_HEATH,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local sn=KIP_HEATH cn=KIP_HEATH Object Details: sAMAccountType=805306368 sAMAccountName=KIP_HEATH logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3157 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=e0e84ab2-41dc-486c-a428-c25880e4a394 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:56.43 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81991 uSNCreated=31310 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.107 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=EMILIA_HILL@attackrange.local name=EMILIA_HILL displayName=EMILIA_HILL distinguishedName=CN=EMILIA_HILL,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local sn=EMILIA_HILL cn=EMILIA_HILL Object Details: sAMAccountType=805306368 sAMAccountName=EMILIA_HILL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3254 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=f7a3d2f6-e17c-4ebc-8007-0d20a147b2ea whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:57.02 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81989 uSNCreated=31992 instanceType=4 Additional Details: dSCorePropagationData=20240220220330.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z managedObjects=CN=EM-spi-distlist1,OU=OGC,OU=People,DC=attackrange,DC=local memberOf=CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ED-fulanitaa-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RE-chulaherm-distlist1,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=TA-bab-distlist1,OU=Devices,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=41-romera3ma-distlist1,OU=ESM,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.076 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KATHRINE_COLLIER@attackrange.local name=KATHRINE_COLLIER displayName=KATHRINE_COLLIER distinguishedName=CN=KATHRINE_COLLIER,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=KATHRINE_COLLIER cn=KATHRINE_COLLIER Object Details: sAMAccountType=805306368 sAMAccountName=KATHRINE_COLLIER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1404 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b9db0071-5175-479a-a3f7-86067d793c2f whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:50.21 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81987 uSNCreated=18992 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HA-helpless2-distlist1,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=DE-100-admingroup1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=AU-333-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=EA-ferdhinan-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=ED-1305arthu-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.045 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KAREEM_MCGEE@attackrange.local name=KAREEM_MCGEE displayName=KAREEM_MCGEE distinguishedName=CN=KAREEM_MCGEE,OU=Test,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=KAREEM_MCGEE cn=KAREEM_MCGEE Object Details: sAMAccountType=805306368 sAMAccountName=KAREEM_MCGEE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2412 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=4fd8f8fa-6608-46d3-8007-6dfa5a626035 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:54.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81985 uSNCreated=26076 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=KE-nic-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=54-hap-distlist1,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.120 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=WILBUR_MCGUIRE@attackrange.local name=WILBUR_MCGUIRE displayName=WILBUR_MCGUIRE distinguishedName=CN=WILBUR_MCGUIRE,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local sn=WILBUR_MCGUIRE cn=WILBUR_MCGUIRE Object Details: sAMAccountType=805306368 sAMAccountName=WILBUR_MCGUIRE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2270 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=72d9c334-5ab9-4cae-8fe5-d1a9b171d167 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:53.39 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81995 uSNCreated=25079 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=AN-mil-admingroup1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Esp-distlist1,OU=OGC,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.074 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LOU_STAFFORD@attackrange.local name=LOU_STAFFORD displayName=LOU_STAFFORD distinguishedName=CN=LOU_STAFFORD,OU=People,DC=attackrange,DC=local sn=LOU_STAFFORD cn=LOU_STAFFORD Object Details: sAMAccountType=805306368 sAMAccountName=LOU_STAFFORD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2026 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=ad47e264-096c-47c6-8f37-5da952bacc33 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:52.45 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81993 uSNCreated=23365 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=FA-Demons786-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:16.039 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KIP_HEATH@attackrange.local name=KIP_HEATH displayName=KIP_HEATH distinguishedName=CN=KIP_HEATH,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local sn=KIP_HEATH cn=KIP_HEATH Object Details: sAMAccountType=805306368 sAMAccountName=KIP_HEATH logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3157 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=e0e84ab2-41dc-486c-a428-c25880e4a394 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:56.43 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81991 uSNCreated=31310 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 18:02:16.007 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=EMILIA_HILL@attackrange.local name=EMILIA_HILL displayName=EMILIA_HILL distinguishedName=CN=EMILIA_HILL,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local sn=EMILIA_HILL cn=EMILIA_HILL Object Details: sAMAccountType=805306368 sAMAccountName=EMILIA_HILL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3254 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=f7a3d2f6-e17c-4ebc-8007-0d20a147b2ea whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:57.02 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81989 uSNCreated=31992 instanceType=4 Additional Details: dSCorePropagationData=20240220220330.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z managedObjects=CN=EM-spi-distlist1,OU=OGC,OU=People,DC=attackrange,DC=local memberOf=CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ED-fulanitaa-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RE-chulaherm-distlist1,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=TA-bab-distlist1,OU=Devices,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=41-romera3ma-distlist1,OU=ESM,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:15.998 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BARBARA_ONEAL@attackrange.local name=BARBARA_ONEAL displayName=BARBARA_ONEAL distinguishedName=CN=BARBARA_ONEAL,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local sn=BARBARA_ONEAL cn=BARBARA_ONEAL Object Details: sAMAccountType=805306368 sAMAccountName=BARBARA_ONEAL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3399 primaryGroupID=513 pwdLastSet=06:02.15 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=4f17d706-a5e1-4e06-910e-b96309c6680a whenChanged=06:02.15 PM, Wed 02/21/2024 whenCreated=09:57.31 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81983 uSNCreated=33013 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=MA-aud-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=EM-bon-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=GR-ascarothh-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=FL-bet-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=CO-adi-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=WI-ascarothh-admingroup1,OU=.SecFrame.com,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:15.975 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KATHRINE_COLLIER@attackrange.local name=KATHRINE_COLLIER displayName=KATHRINE_COLLIER distinguishedName=CN=KATHRINE_COLLIER,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=KATHRINE_COLLIER cn=KATHRINE_COLLIER Object Details: sAMAccountType=805306368 sAMAccountName=KATHRINE_COLLIER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1404 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=b9db0071-5175-479a-a3f7-86067d793c2f whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:50.21 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81987 uSNCreated=18992 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HA-helpless2-distlist1,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=DE-100-admingroup1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=AU-333-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=EA-ferdhinan-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=ED-1305arthu-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:15.941 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KAREEM_MCGEE@attackrange.local name=KAREEM_MCGEE displayName=KAREEM_MCGEE distinguishedName=CN=KAREEM_MCGEE,OU=Test,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=KAREEM_MCGEE cn=KAREEM_MCGEE Object Details: sAMAccountType=805306368 sAMAccountName=KAREEM_MCGEE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2412 primaryGroupID=513 pwdLastSet=06:02.16 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194816 objectGUID=4fd8f8fa-6608-46d3-8007-6dfa5a626035 whenChanged=06:02.16 PM, Wed 02/21/2024 whenCreated=09:54.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81985 uSNCreated=26076 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=KE-nic-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=54-hap-distlist1,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 18:02:15.899 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BARBARA_ONEAL@attackrange.local name=BARBARA_ONEAL displayName=BARBARA_ONEAL distinguishedName=CN=BARBARA_ONEAL,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local sn=BARBARA_ONEAL cn=BARBARA_ONEAL Object Details: sAMAccountType=805306368 sAMAccountName=BARBARA_ONEAL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3399 primaryGroupID=513 pwdLastSet=06:02.15 PM, Wed 02/21/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=512 objectGUID=4f17d706-a5e1-4e06-910e-b96309c6680a whenChanged=06:02.15 PM, Wed 02/21/2024 whenCreated=09:57.31 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=81983 uSNCreated=33013 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=MA-aud-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=EM-bon-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=GR-ascarothh-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=FL-bet-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=CO-adi-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=WI-ascarothh-admingroup1,OU=.SecFrame.com,DC=attackrange,DC=local description=Created with secframe.com/badblood. 410615103150x0708552Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb86417a5-519a-454b-8bb2-474a34b499e22b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708551Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb86417a5-519a-454b-8bb2-474a34b499e22b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708550Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708549Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708548Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala0da7b12-fcd4-444e-a45d-14b3126ed3e72b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708547Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Define the new password - ensure to follow your organization's password policy $newPassword = ConvertTo-SecureString "NewP@ssw0rd123!" -AsPlainText -Force # Get 20 random user accounts $randomUsers = Get-ADUser -Filter * -Properties PasswordLastSet | Get-Random -Count 20 # Loop through each user and update the password foreach ($user in $randomUsers) { try { Set-ADAccountPassword $user.SamAccountName -NewPassword $newPassword -Reset Write-Host "Password updated for user: $($user.SamAccountName)" } catch { Write-Host "Failed to update password for user: $($user.SamAccountName)" } } # Output the users whose passwords were updated Write-Host "Updated passwords for the following users:" $randomUsers | Select-Object SamAccountName a0da7b12-fcd4-444e-a45d-14b3126ed3e7 410615103150x0708546Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4673001305700x8010000000000000276689Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 22542200x800000000000000044939Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:02.562{0b642d80-3a98-65d6-ba02-00000000be02}336ar-win-dc.attackrange.local0fe80::2c4d:3504:6979:e6f2;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administrator 410515102150x0708545Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708544Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb35af235-aed1-4958-908c-e136d6572af22b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708543Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708542Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708541Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb35af235-aed1-4958-908c-e136d6572af22b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708540Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptb35af235-aed1-4958-908c-e136d6572af2 410615103150x0708539Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708538Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708537Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8f357141-a5bd-4c62-99a7-8d69718ba3df2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4627001255400x8020000000000000276688Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1cf2a4311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000276687Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x1cf2a43KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::156870%%1833---%%18430x0%%1842 4672001254800x8020000000000000276686Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1cf2a4SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 410615103150x0708536Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708535Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708534Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8f357141-a5bd-4c62-99a7-8d69718ba3df2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708533Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11Import-Module ActiveDirectory8f357141-a5bd-4c62-99a7-8d69718ba3df 410615103150x0708532Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708531Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708530Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 4689001331300x8020000000000000276685Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00x18ccC:\Windows\System32\HOSTNAME.EXE 4688201331200x8020000000000000276684Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x18ccC:\Windows\System32\HOSTNAME.EXE%%19360x150"C:\Windows\system32\HOSTNAME.EXE"NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 4689001331300x8020000000000000276683Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00x570C:\Windows\System32\HOSTNAME.EXE 4673001305700x8020000000000000276682Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1Security-SeCreateGlobalPrivilege0x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 4688201331200x8020000000000000276681Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x570C:\Windows\System32\HOSTNAME.EXE%%19360x150"C:\Windows\system32\HOSTNAME.EXE"NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 4689001331300x8020000000000000276680Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00xce4C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 4689001331300x8020000000000000276679Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00x434C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe 4688201331200x8020000000000000276678Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x434C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe%%19360xce4C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2440.tmp" "c:\Users\Administrator\AppData\Local\Temp\en5zbq4l\CSCBC71219778BF4721BF35A33BDC6E09B.TMP"NULL SID--0x0C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000276677Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10xce4C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe%%19360x150"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline"NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 154100x800000000000000044938Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.627{0b642d80-3a99-65d6-bf02-00000000be02}6348C:\Windows\System32\HOSTNAME.EXE10.0.17763.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=7F95220A65A5A5D4A98873E86EF2E549,SHA256=1BFF2907C456F99277F45F9B2A21B1B3F11F6C01587D9E6D6F0B2B5F1472FE92,IMPHASH=5CD891320C666621E9783444DB8CBA78{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x800000000000000044937Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.499{0b642d80-3a99-65d6-be02-00000000be02}1392C:\Windows\System32\HOSTNAME.EXE10.0.17763.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=7F95220A65A5A5D4A98873E86EF2E549,SHA256=1BFF2907C456F99277F45F9B2A21B1B3F11F6C01587D9E6D6F0B2B5F1472FE92,IMPHASH=5CD891320C666621E9783444DB8CBA78{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x800000000000000044936Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localDLL2024-02-21 18:02:01.379{0b642d80-3a99-65d6-bc02-00000000be02}3300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.dll2024-02-21 18:02:01.222ATTACKRANGE\Administrator 154100x800000000000000044935Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.367{0b642d80-3a99-65d6-bd02-00000000be02}1076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2440.tmp" "c:\Users\Administrator\AppData\Local\Temp\en5zbq4l\CSCBC71219778BF4721BF35A33BDC6E09B.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{0b642d80-3a99-65d6-bc02-00000000be02}3300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline"ATTACKRANGE\Administrator 154100x800000000000000044934Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.234{0b642d80-3a99-65d6-bc02-00000000be02}3300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x800000000000000044933Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.222{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline2024-02-21 18:02:01.222ATTACKRANGE\Administrator 11241100x800000000000000044932Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localDLL2024-02-21 18:02:01.222{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.dll2024-02-21 18:02:01.222ATTACKRANGE\Administrator 410515102150x0708529Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708528Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local48ba134f-9e64-4584-a732-197c05a617342b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708527Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708526Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708525Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local48ba134f-9e64-4584-a732-197c05a617342b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708524Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt48ba134f-9e64-4584-a732-197c05a61734 410615103150x0708523Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local1ff25d67-532c-4a41-9122-e42c72f7eb882b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708522Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6a19b68d-06ed-49fc-8aec-0f966f79484d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708521Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local3064d909-08ec-4728-a9aa-6617b06699762b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708520Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc451a5d3-da69-4afb-aaff-2f01dcd9deef2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708519Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc451a5d3-da69-4afb-aaff-2f01dcd9deef2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708518Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Write-PrereqResults ($FailureReasons, $testId) { if ($FailureReasons.Count -eq 0) { Write-KeyValue "Prerequisites met: " $testId } else { Write-Host -ForegroundColor Red "Prerequisites not met: $testId" foreach ($reason in $FailureReasons) { Write-Host -ForegroundColor Yellow -NoNewline "`t[*] $reason" } Write-Host -ForegroundColor Yellow -NoNewline "`nTry installing prereq's with the " Write-Host -ForegroundColor Cyan -NoNewline "-GetPrereqs" Write-Host -ForegroundColor Yellow " switch" } } c451a5d3-da69-4afb-aaff-2f01dcd9deefC:\AtomicRedTeam\invoke-atomicredteam\Private\Write-PrereqResults.ps1 410615103150x0708517Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3cf42e5-7ab8-41b4-9ae8-a9dd2055bc262b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708516Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3cf42e5-7ab8-41b4-9ae8-a9dd2055bc262b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708515Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Write-KeyValue ($key, $value) { Write-Host -ForegroundColor Cyan -NoNewline $key $split = $value -split "(#{[a-z-_A-Z]*})" foreach ($s in $split) { if ($s -match "(#{[a-z-_A-Z]*})") { Write-Host -ForegroundColor Red -NoNewline $s } else { Write-Host -ForegroundColor Green -NoNewline $s } } Write-Host "" } a3cf42e5-7ab8-41b4-9ae8-a9dd2055bc26C:\AtomicRedTeam\invoke-atomicredteam\Private\Write-KeyValue.ps1 410615103150x0708514Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localaabbc059-fe19-4e1c-9f05-f4ba5db52b9b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708513Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localaabbc059-fe19-4e1c-9f05-f4ba5db52b9b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708512Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-CleanupDescription() { $ret1 = $test.description.ToString().trim() -replace '(?<!\n)\n(?!\n)', ' ' #replace single linefeeds with a space $ret1 -replace '\n\n', "`n" #replace double linefeeds with a single linefeed } function Show-Details ($test, $testCount, $technique, $customInputArgs, $PathToAtomicsFolder) { # Header info $tName = $technique.display_name.ToString() + " " + $technique.attack_technique Write-Host -ForegroundColor Magenta "[********BEGIN TEST*******]" Write-KeyValue "Technique: " $tName Write-KeyValue "Atomic Test Name: " $test.name.ToString() Write-KeyValue "Atomic Test Number: " $testCount if ($test.auto_generated_guid) { Write-KeyValue "Atomic Test GUID: " $test.auto_generated_guid } Write-KeyValue "Description: " $(Invoke-CleanupDescription $test) # Attack Commands Write-Host -ForegroundColor Yellow "`nAttack Commands:" $elevationRequired = $false if ($nul -ne $test.executor.elevation_required ) { $elevationRequired = $test.executor.elevation_required } $executor_name = $test.executor.name Write-KeyValue "Executor: " $executor_name Write-KeyValue "ElevationRequired: " $elevationRequired $final_command = Merge-InputArgs $test.executor.command $test $customInputArgs $PathToAtomicsFolder Write-KeyValue "Command:`n" $test.executor.command.trim() if ($test.executor.command -ne $final_command) { Write-KeyValue "Command (with inputs):`n" $final_command.trim() } # Cleanup Commands if ($nul -ne $test.executor.cleanup_command) { Write-Host -ForegroundColor Yellow "`nCleanup Commands:" $final_command = Merge-InputArgs $test.executor.cleanup_command $test $customInputArgs $PathToAtomicsFolder Write-KeyValue "Command:`n" $test.executor.cleanup_command.trim() if ($test.executor.cleanup_command -ne $final_command) { Write-KeyValue "Command (with inputs):`n" $final_command.trim() } } # Dependencies if ($nul -ne $test.dependencies) { Write-Host -ForegroundColor Yellow "`nDependencies:" foreach ($dep in $test.dependencies) { $final_command_prereq = Merge-InputArgs $dep.prereq_command $test $customInputArgs $PathToAtomicsFolder $final_command_get_prereq = Merge-InputArgs $dep.get_prereq_command $test $customInputArgs $PathToAtomicsFolder $description = Merge-InputArgs $dep.description $test $customInputArgs $PathToAtomicsFolder Write-KeyValue "Description: " $description.trim() Write-KeyValue "Check Prereq Command:`n" $dep.prereq_command.trim() if ( $dep.prereq_command -ne $final_command_prereq ) { Write-KeyValue "Check Prereq Command (with inputs):`n" $final_command_prereq.trim() } Write-KeyValue "Get Prereq Command:`n" $dep.get_prereq_command.trim() if ( $dep.get_prereq_command -ne $final_command_get_prereq ) { Write-KeyValue "Get Prereq Command (with inputs):`n" $final_command_get_prereq.trim() } } } # Footer Write-Host -ForegroundColor Magenta "[!!!!!!!!END TEST!!!!!!!]`n`n" } aabbc059-fe19-4e1c-9f05-f4ba5db52b9bC:\AtomicRedTeam\invoke-atomicredteam\Private\Show-Details.ps1 410615103150x0708511Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2cd43e16-936a-4876-9317-12bd8474ee282b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708510Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2cd43e16-936a-4876-9317-12bd8474ee282b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708509Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-InputArgs([hashtable]$ip, $customInputArgs, $PathToAtomicsFolder) { $defaultArgs = @{ } foreach ($key in $ip.Keys) { $defaultArgs[$key] = $ip[$key].default } # overwrite defaults with any user supplied values foreach ($key in $customInputArgs.Keys) { if ($defaultArgs.Keys -contains $key) { # replace default with user supplied $defaultArgs.set_Item($key, $customInputArgs[$key]) } else { Write-Verbose "The specified input argument *$key* was ignored as not applicable" } } $defaultArgs } function Merge-InputArgs($finalCommand, $test, $customInputArgs, $PathToAtomicsFolder) { if (($null -ne $finalCommand) -and ($test.input_arguments.Count -gt 0)) { Write-Verbose -Message 'Replacing inputArgs with user specified values, or default values if none provided' $inputArgs = Get-InputArgs $test.input_arguments $customInputArgs $PathToAtomicsFolder foreach ($key in $inputArgs.Keys) { $findValue = '#{' + $key + '}' $finalCommand = $finalCommand.Replace($findValue, $inputArgs[$key]) } } # Replace $PathToAtomicsFolder or PathToAtomicsFolder with the actual -PathToAtomicsFolder value $finalCommand = ($finalCommand -replace "\`$PathToAtomicsFolder", $PathToAtomicsFolder) -replace "PathToAtomicsFolder", $PathToAtomicsFolder $finalCommand } function Invoke-PromptForInputArgs([hashtable]$ip) { $InputArgs = @{ } foreach ($key in $ip.Keys) { $InputArgs[$key] = $ip[$key].default $newValue = Read-Host -Prompt "Enter a value for $key , or press enter to accept the default.`n$($ip[$key].description.trim()) [$($ip[$key].default.trim())]" # replace default with user supplied if (-not [string]::IsNullOrWhiteSpace($newValue)) { $InputArgs.set_Item($key, $newValue) } } $InputArgs } 2cd43e16-936a-4876-9317-12bd8474ee28C:\AtomicRedTeam\invoke-atomicredteam\Private\Replace-InputArgs.ps1 410615103150x0708508Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local83ea041a-9015-437d-9af8-55e97acc04202b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708507Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local83ea041a-9015-437d-9af8-55e97acc04202b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708506Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# The Invoke-Process function is loosely based on code from https://github.com/guitarrapc/PowerShellUtil/blob/master/Invoke-Process/Invoke-Process.ps1 function Invoke-Process { [OutputType([PSCustomObject])] [CmdletBinding()] param ( [Parameter(Mandatory = $false, Position = 0)] [string]$FileName = "PowerShell.exe", [Parameter(Mandatory = $false, Position = 1)] [string[]]$Arguments = "", [Parameter(Mandatory = $false, Position = 3)] [Int]$TimeoutSeconds = 120, [Parameter(Mandatory = $false, Position = 4)] [String]$stdoutFile = $null, [Parameter(Mandatory = $false, Position = 5)] [String]$stderrFile = $null ) end { $WorkingDirectory = if ($IsLinux -or $IsMacOS) { "/tmp" } else { $env:TEMP } try { # new Process if ($stdoutFile) { # new Process $process = NewProcess -FileName $FileName -Arguments $Arguments -WorkingDirectory $WorkingDirectory # Event Handler for Output $stdSb = New-Object -TypeName System.Text.StringBuilder $errorSb = New-Object -TypeName System.Text.StringBuilder $scripBlock = { $x = $Event.SourceEventArgs.Data if (-not [String]::IsNullOrEmpty($x)) { $Event.MessageData.AppendLine($x) } } $stdEvent = Register-ObjectEvent -InputObject $process -EventName OutputDataReceived -Action $scripBlock -MessageData $stdSb $errorEvent = Register-ObjectEvent -InputObject $process -EventName ErrorDataReceived -Action $scripBlock -MessageData $errorSb # execution $process.Start() > $null $process.BeginOutputReadLine() $process.BeginErrorReadLine() # wait for complete $Timeout = [System.TimeSpan]::FromSeconds(($TimeoutSeconds)) $isTimeout = $false if (-not $Process.WaitForExit($Timeout.TotalMilliseconds)) { $isTimeout = $true Invoke-KillProcessTree $process.id Write-Host -ForegroundColor Red "Process Timed out after $TimeoutSeconds seconds, use '-TimeoutSeconds' to specify a different timeout" } $process.CancelOutputRead() $process.CancelErrorRead() # Unregister Event to recieve Asynchronous Event output (should be called before process.Dispose()) Unregister-Event -SourceIdentifier $stdEvent.Name Unregister-Event -SourceIdentifier $errorEvent.Name $stdOutString = $stdSb.ToString().Trim() if ($stdOutString.Length -gt 0) { Write-Host $stdOutString } $stdErrString = $errorSb.ToString().Trim() if ($stdErrString.Length -gt 0) { Write-Host $stdErrString } # Get Process result return GetCommandResult -Process $process -StandardStringBuilder $stdSb -ErrorStringBuilder $errorSb -IsTimeOut $isTimeout } else { # This is the enitrety of the "old style" code, kept for interactive tests $process = Start-Process -FilePath $FileName -ArgumentList $Arguments -WorkingDirectory $WorkingDirectory -NoNewWindow -PassThru # cache process.Handle, otherwise ExitCode is null from powershell processes $handle = $process.Handle # wait for complete $Timeout = [System.TimeSpan]::FromSeconds(($TimeoutSeconds)) if (-not $process.WaitForExit($Timeout.TotalMilliseconds)) { Invoke-KillProcessTree $process.id Write-Host -ForegroundColor Red "Process Timed out after $TimeoutSeconds seconds, use '-TimeoutSeconds' to specify a different timeout" if ($stdoutFile) { # Add a warning in stdoutFile in case of timeout # problem: $stdoutFile was locked in writing by the process we just killed, sometimes it's too fast and the lock isn't released immediately # solution: retry at most 10 times with 100ms between each attempt For ($i = 0; $i -lt 10; $i++) { try { "<timeout>" | Out-File (Join-Path $WorkingDirectory $stdoutFile) -Append -Encoding ASCII break # if we're here it means the file wasn't locked and Out-File worked, so we can leave the retry loop } catch {} # file is locked Start-Sleep -m 100 } } } if ($IsLinux -or $IsMacOS) { Start-Sleep -Seconds 5 # On nix, the last 4 lines of stdout get overwritten upon return so pause for a bit to ensure user can view results } # Get Process result return [PSCustomObject]@{ StandardOutput = "" ErrorOutput = "" ExitCode = $process.ExitCode ProcessId = $Process.Id IsTimeOut = $IsTimeout } } } finally { if ($null -ne $process) { $process.Dispose() } if ($null -ne $stdEvent) { $stdEvent.StopJob(); $stdEvent.Dispose() } if ($null -ne $errorEvent) { $errorEvent.StopJob(); $errorEvent.Dispose() } } } begin { function NewProcess { [OutputType([System.Diagnostics.Process])] [CmdletBinding()] param ( [parameter(Mandatory = $true)] [string]$FileName, [parameter(Mandatory = $false)] [string[]]$Arguments, [parameter(Mandatory = $false)] [string]$WorkingDirectory ) # ProcessStartInfo $psi = New-object System.Diagnostics.ProcessStartInfo $psi.CreateNoWindow = $true $psi.UseShellExecute = $false $psi.RedirectStandardOutput = $true $psi.RedirectStandardError = $true $psi.FileName = $FileName $psi.Arguments += $Arguments $psi.WorkingDirectory = $WorkingDirectory # Set Process $process = New-Object System.Diagnostics.Process $process.StartInfo = $psi $process.EnableRaisingEvents = $true return $process } function GetCommandResult { [OutputType([PSCustomObject])] [CmdletBinding()] param ( [parameter(Mandatory = $true)] [System.Diagnostics.Process]$Process, [parameter(Mandatory = $true)] [System.Text.StringBuilder]$StandardStringBuilder, [parameter(Mandatory = $true)] [System.Text.StringBuilder]$ErrorStringBuilder, [parameter(Mandatory = $true)] [Bool]$IsTimeout ) return [PSCustomObject]@{ StandardOutput = $StandardStringBuilder.ToString().Trim() ErrorOutput = $ErrorStringBuilder.ToString().Trim() ExitCode = $Process.ExitCode ProcessId = $Process.Id IsTimeOut = $IsTimeout } } } } 83ea041a-9015-437d-9af8-55e97acc0420C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1 410615103150x0708505Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2673f39b-f9b4-4bce-9709-3c49493d8d952b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708504Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2673f39b-f9b4-4bce-9709-3c49493d8d952b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708503Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-KillProcessTree { Param([int]$ppid) if ($IsLinux -or $IsMacOS) { sh -c "pkill -9 -P $ppid" } else { while ($null -ne ($gcim = Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq $ppid })) { $gcim | ForEach-Object { Invoke-KillProcessTree $_.ProcessId; Start-Sleep -Seconds 0.5 } } Stop-Process -Id $ppid -ErrorAction Ignore } } 2673f39b-f9b4-4bce-9709-3c49493d8d95C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-KillProcessTree.ps1 410615103150x0708502Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localca437bfd-3489-4c5b-952c-6aeda127f75d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708501Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localca437bfd-3489-4c5b-952c-6aeda127f75d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708500Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-ExecuteCommand ($finalCommand, $executor, $executionPlatform, $TimeoutSeconds, $session = $null, $interactive) { $null = @( if ($null -eq $finalCommand) { return 0 } $finalCommand = $finalCommand.trim() Write-Verbose -Message 'Invoking Atomic Tests using defined executor' if ($executor -eq "command_prompt" -or $executor -eq "sh" -or $executor -eq "bash") { $execPrefix = "-c" $execExe = $executor if ($executor -eq "command_prompt") { $execPrefix = "/c"; $execExe = "cmd.exe"; $execCommand = $finalCommand -replace "`n", " & " $arguments = $execPrefix, "$execCommand" } else { $finalCommand = $finalCommand -replace "[\\](?!;)", "`\$&" $finalCommand = $finalCommand -replace "[`"]", "`\$&" $execCommand = $finalCommand -replace "(?<!;)\n", "; " $arguments = "$execPrefix `"$execCommand`"" } } elseif ($executor -eq "powershell") { $execCommand = $finalCommand -replace "`"", "`\`"`"" if ($session) { if ($executionPlatform -eq "windows") { $execExe = "powershell.exe" } else { $execExe = "pwsh" } } else { $execExe = "powershell.exe"; if ($IsLinux -or $IsMacOS) { $execExe = "pwsh" } } if ($execExe -eq "pwsh") { $arguments = "-Command $execCommand" } else { $arguments = "& {$execCommand}" } } else { Write-Warning -Message "Unable to generate or execute the command line properly. Unknown executor" return [PSCustomObject]@{ StandardOutput = "" ErrorOutput = "" ExitCode = -1 IsTimeOut = $false } } # Write-Host -ForegroundColor Magenta "$execExe $arguments" if ($session) { $scriptParentPath = Split-Path $import -Parent $fp = Join-Path $scriptParentPath "Invoke-Process.ps1" $fp2 = Join-Path $scriptParentPath "Invoke-KillProcessTree.ps1" invoke-command -Session $session -FilePath $fp invoke-command -Session $session -FilePath $fp2 $res = invoke-command -Session $session -ScriptBlock { Invoke-Process -filename $Using:execExe -Arguments $Using:arguments -TimeoutSeconds $Using:TimeoutSeconds -stdoutFile "art-out.txt" -stderrFile "art-err.txt" } } else { if ($interactive) { # This use case is: Local execution of tests that contain interactive prompts # In this situation, let the stdout/stderr flow to the console $res = Invoke-Process -filename $execExe -Arguments $arguments -TimeoutSeconds $TimeoutSeconds } else { # Local execution that DO NOT contain interactive prompts # In this situation, capture the stdout/stderr for Invoke-AtomicTest to send to the caller $res = Invoke-Process -filename $execExe -Arguments $arguments -TimeoutSeconds $TimeoutSeconds -stdoutFile "art-out.txt" -stderrFile "art-err.txt" } } ) $res } ca437bfd-3489-4c5b-952c-6aeda127f75dC:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-ExecuteCommand.ps1 410615103150x0708499Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb72721eb-fc56-4724-bf6d-6687a42dd1522b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708498Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb72721eb-fc56-4724-bf6d-6687a42dd1522b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708497Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-CheckPrereqs ($test, $isElevated, $executionPlatform, $customInputArgs, $PathToAtomicsFolder, $TimeoutSeconds, $session = $null) { $FailureReasons = New-Object System.Collections.ArrayList if ( $test.executor.elevation_required -and -not $isElevated) { $FailureReasons.add("Elevation required but not provided`n") | Out-Null } foreach ($dep in $test.dependencies) { $executor = Get-PrereqExecutor $test $final_command = Merge-InputArgs $dep.prereq_command $test $customInputArgs $PathToAtomicsFolder if ($executor -ne "powershell") { $final_command = ($final_Command.trim()).Replace("`n", " && ") } $res = Invoke-ExecuteCommand $final_command $executor $executionPlatform $TimeoutSeconds $session $description = Merge-InputArgs $dep.description $test $customInputArgs $PathToAtomicsFolder if ($res.ExitCode -ne 0) { $FailureReasons.add($description) | Out-Null } } $FailureReasons } b72721eb-fc56-4724-bf6d-6687a42dd152C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-CheckPrereqs.ps1 410615103150x0708496Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local580e331c-a59d-4c02-9005-96046b2615ae2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708495Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local580e331c-a59d-4c02-9005-96046b2615ae2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708494Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-TargetInfo($Session) { $tmpDir = "$env:TEMP\" $isElevated = $false $targetHostname = hostname $targetUser = whoami if ($Session) { $targetPlatform, $isElevated, $tmpDir, $targetHostname, $targetUser = invoke-command -Session $Session -ScriptBlock { $targetPlatform = "windows" $tmpDir = "/tmp/" $targetHostname = hostname $targetUser = whoami if ($IsLinux) { $targetPlatform = "linux" } elseif ($IsMacOS) { $targetPlatform = "macos" } else { # windows $tmpDir = "$env:TEMP\" $isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } if ($IsLinux -or $IsMacOS) { $isElevated = $false $privid = id -u if ($privid -eq 0) { $isElevated = $true } } $targetPlatform, $isElevated, $tmpDir, $targetHostname, $targetUser } # end ScriptBlock for remote session } else { $targetPlatform = "linux" if ($IsLinux -or $IsMacOS) { $tmpDir = "/tmp/" $isElevated = $false $privid = id -u if ($privid -eq 0) { $isElevated = $true } if ($IsMacOS) { $targetPlatform = "macos" } } else { $targetPlatform = "windows" $isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } } $targetPlatform, $isElevated, $tmpDir, $targetHostname, $targetUser } 580e331c-a59d-4c02-9005-96046b2615aeC:\AtomicRedTeam\invoke-atomicredteam\Private\Get-TargetInfo.ps1 410615103150x0708493Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local018c13a6-4607-4408-96b7-47a65036f17c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708492Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local018c13a6-4607-4408-96b7-47a65036f17c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708491Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-PrereqExecutor ($test) { if ($nul -eq $test.dependency_executor_name) { $executor = $test.executor.name } else { $executor = $test.dependency_executor_name } $executor } 018c13a6-4607-4408-96b7-47a65036f17cC:\AtomicRedTeam\invoke-atomicredteam\Private\Get-PrereqExecutor.ps1 410615103150x0708490Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2be6acf6-3d12-4ca6-84eb-d128983fada32b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708489Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2be6acf6-3d12-4ca6-84eb-d128983fada32b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708488Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-AtomicGUI { param ( [Int] $port = 8487 ) # Install-Module UniversalDashboard if not already installed $UDcommunityInstalled = Get-InstalledModule -Name "UniversalDashboard.Community" -ErrorAction:SilentlyContinue $UDinstalled = Get-InstalledModule -Name "UniversalDashboard" -ErrorAction:SilentlyContinue if (-not $UDcommunityInstalled -and -not $UDinstalled) { Write-Host "Installing UniversalDashboard.Community" Install-Module -Name UniversalDashboard.Community -Scope CurrentUser -Force } ############## Function Definitions Made Available to EndPoints function New-UDTextAreaX ($ID, $PlaceHolder) { New-UDElement -Tag div -Attributes @{class = "input-field col" } -Content { New-UDElement -Tag "textarea" -id $ID -Attributes @{ class = "materialize-textarea ud-input" } New-UDElement -Tag Label -Attributes @{for = $ID } -Content { $PlaceHolder } } } function New-UDTextBoxX ($ID, $PlaceHolder) { New-UDElement -Tag div -Attributes @{class = "input-field col" } -Content { New-UDElement -Tag "input" -id $ID -Attributes @{ class = "ud-input"; type = "text" } New-UDElement -Tag Label -Attributes @{for = $ID } -Content { $PlaceHolder } } } $InputArgCards = @{ } function New-InputArgCard { $cardNumber = $InputArgCards.count + 1 $newCard = New-UDCard -ID "InputArgCard$cardNumber" -Content { New-UDTextBoxX "InputArgCard$cardNumber-InputArgName" "Input Argument Name" New-UDTextAreaX "InputArgCard$cardNumber-InputArgDescription" "Description" New-UDTextBoxX "InputArgCard$cardNumber-InputArgDefault" "Default Value" New-UDLayout -columns 4 { New-UDSelect -ID "InputArgCard$cardNumber-InputArgType" -Label "Type" -Option { New-UDSelectOption -Name "Path" -Value "path" New-UDSelectOption -Name "String" -Value "string" New-UDSelectOption -Name "Url" -Value "url" New-UDSelectOption -Name "Integer" -Value "integer" } } New-UDButton -Text "Remove this Input Argument" -OnClick ( New-UDEndpoint -Endpoint { Remove-UDElement -Id "InputArgCard$cardNumber" $inputArgCards["InputArgCard$cardNumber"] = $true } -ArgumentList @($cardNumber, $inputArgCards) ) } $InputArgCards.Add("InputArgCard$cardNumber", $false) | Out-Null $newCard } $depCards = @{ } function New-depCard { $cardNumber = $depCards.count + 1 $newCard = New-UDCard -ID "depCard$cardNumber" -Content { New-UDTextBoxX "depCard$cardNumber-depDescription" "Prereq Description" New-UDTextAreaX "depCard$cardNumber-prereqCommand" "Check prereqs Command" New-UDTextAreaX "depCard$cardNumber-getPrereqCommand" "Get Prereqs Command" New-UDButton -Text "Remove this Prereq" -OnClick ( New-UDEndpoint -Endpoint { Remove-UDElement -Id "depCard$cardNumber" $depCards["depCard$cardNumber"] = $true } -ArgumentList @($cardNumber, $depCards) ) } $depCards.Add("depCard$cardNumber", $false) | Out-Null $newCard } function New-UDSelectX ($Id, $Label) { New-UDSelect -Label $Label -Id $Id -Option { New-UDSelectOption -Name "PowerShell" -Value "PowerShell" -Selected New-UDSelectOption -Name "Command Prompt" -Value "CommandPrompt" New-UDSelectOption -Name "Bash" -Value "Bash" New-UDSelectOption -Name "Sh" -Value "Sh" } } ############## End Function Definitions Made Available to EndPoints # EndpointInitialization defining which methods, modules, and variables will be available for use within an endpoint $ei = New-UDEndpointInitialization ` -Function @("New-InputArgCard", "New-depCard", "New-UDTextAreaX", "New-UDTextBoxX", "New-UDSelectX") ` -Variable @("InputArgCards", "depCards", "yaml") ` -Module @("..\Invoke-AtomicRedTeam.psd1") ############## EndPoint (ep) Definitions: Dynamic code called to generate content for an element or perfrom onClick actions $BuildAndDisplayYamlScriptBlock = { $testName = (Get-UDElement -Id atomicName).Attributes['value'] $testDesc = (Get-UDElement -Id atomicDescription).Attributes['value'] $platforms = @() if ((Get-UDElement -Id spWindows).Attributes['checked']) { $platforms += "Windows" } if ((Get-UDElement -Id spLinux).Attributes['checked']) { $platforms += "Linux" } if ((Get-UDElement -Id spMacOS).Attributes['checked']) { $platforms += "macOS" } $attackCommands = (Get-UDElement -Id attackCommands).Attributes['value'] $executor = (Get-UDElement -Id executorSelector).Attributes['value'] $elevationRequired = (Get-UDElement -Id elevationRequired).Attributes['checked'] $cleanupCommands = (Get-UDElement -Id cleanupCommands).Attributes['value'] if ("" -eq $executor) { $executor = "PowerShell" } # input args $inputArgs = @() $InputArgCards.GetEnumerator() | ForEach-Object { if ($_.Value -eq $false) { # this was not deleted $prefix = $_.key $InputArgName = (Get-UDElement -Id "$prefix-InputArgName").Attributes['value'] $InputArgDescription = (Get-UDElement -Id "$prefix-InputArgDescription").Attributes['value'] $InputArgDefault = (Get-UDElement -Id "$prefix-InputArgDefault").Attributes['value'] $InputArgType = (Get-UDElement -Id "$prefix-InputArgType").Attributes['value'] if ("" -eq $InputArgType) { $InputArgType = "String" } $NewInputArg = New-AtomicTestInputArgument -Name $InputArgName -Description $InputArgDescription -Type $InputArgType -Default $InputArgDefault -WarningVariable +warnings $inputArgs += $NewInputArg } } # dependencies $dependencies = @() $preReqEx = "" $depCards.GetEnumerator() | ForEach-Object { if ($_.Value -eq $false) { # a value of true means the card was deleted, so only add dependencies from non-deleted cards $prefix = $_.key $depDescription = (Get-UDElement -Id "$prefix-depDescription").Attributes['value'] $prereqCommand = (Get-UDElement -Id "$prefix-prereqCommand").Attributes['value'] $getPrereqCommand = (Get-UDElement -Id "$prefix-getPrereqCommand").Attributes['value'] $preReqEx = (Get-UDElement -Id "preReqEx").Attributes['value'] if ("" -eq $preReqEx) { $preReqEx = "PowerShell" } $NewDep = New-AtomicTestDependency -Description $depDescription -PrereqCommand $prereqCommand -GetPrereqCommand $getPrereqCommand -WarningVariable +warnings $dependencies += $NewDep } } $depParams = @{ } if ($dependencies.count -gt 0) { $depParams.add("DependencyExecutorType", $preReqEx) $depParams.add("Dependencies", $dependencies) } if (($cleanupCommands -ne "") -and ($null -ne $cleanupCommands)) { $depParams.add("ExecutorCleanupCommand", $cleanupCommands) } $depParams.add("ExecutorElevationRequired", $elevationRequired) $AtomicTest = New-AtomicTest -Name $testName -Description $testDesc -SupportedPlatforms $platforms -InputArguments $inputArgs -ExecutorType $executor -ExecutorCommand $attackCommands -WarningVariable +warnings @depParams $yaml = ($AtomicTest | ConvertTo-Yaml) -replace "^", "- " -replace "`n", "`n " foreach ($warning in $warnings) { Show-UDToast $warning -BackgroundColor LightYellow -Duration 10000 } New-UDElement -ID yaml -Tag pre -Content { $yaml } } $epYamlModal = New-UDEndpoint -Endpoint { Show-UDModal -Header { New-UDHeading -Size 3 -Text "Test Definition YAML" } -Content { new-udrow -endpoint $BuildAndDisplayYamlScriptBlock # Left arrow button (decrease indentation) New-UDButton -Icon arrow_circle_left -OnClick ( New-UDEndpoint -Endpoint { $yaml = (Get-UDElement -Id "yaml").Content[0] if (-not $yaml.startsWith("- ")) { Set-UDElement -Id "yaml" -Content { $yaml -replace "^ ", "" -replace "`n ", "`n" } } } ) # Right arrow button (increase indentation) New-UDButton -Icon arrow_circle_right -OnClick ( New-UDEndpoint -Endpoint { $yaml = (Get-UDElement -Id "yaml").Content[0] Set-UDElement -Id "yaml" -Content { $yaml -replace "^", " " -replace "`n", "`n " } } ) # Copy Yaml to clipboard New-UDButton -Text "Copy" -OnClick ( New-UDEndpoint -Endpoint { $yaml = (Get-UDElement -Id "yaml").Content[0] Set-UDClipboard -Data $yaml Show-UDToast -Message "Copied YAML to the Clipboard" -BackgroundColor YellowGreen } ) } } $epFillTestData = New-UDEndpoint -Endpoint { Add-UDElement -ParentId "inputCard" -Content { New-InputArgCard } Add-UDElement -ParentId "depCard" -Content { New-depCard } Start-Sleep 1 Set-UDElement -Id atomicName -Attributes @{value = "My new atomic" } Set-UDElement -Id atomicDescription -Attributes @{value = "This is the atomic description" } Set-UDElement -Id attackCommands -Attributes @{value = "echo this`necho that" } Set-UDElement -Id cleanupCommands -Attributes @{value = "cleanup commands here`nand here..." } # InputArgs $cardNumber = 1 Set-UDElement -Id "InputArgCard$cardNumber-InputArgName" -Attributes @{value = "input_arg_1" } Set-UDElement -Id "InputArgCard$cardNumber-InputArgDescription" -Attributes @{value = "InputArg1 description" } Set-UDElement -Id "InputArgCard$cardNumber-InputArgDefault" -Attributes @{value = "this is the default value" } # dependencies Set-UDElement -Id "depCard$cardNumber-depDescription" -Attributes @{value = "This file must exist" } Set-UDElement -Id "depCard$cardNumber-prereqCommand" -Attributes @{value = "if (this) then that" } Set-UDElement -Id "depCard$cardNumber-getPrereqCommand" -Attributes @{value = "iwr" } } ############## End EndPoint (ep) Definitions ############## Static Definitions $supportedPlatforms = New-UDLayout -Columns 4 { New-UDElement -Tag Label -Attributes @{ style = @{"font-size" = "15px" } } -Content { "Supported Platforms:" } New-UDCheckbox -FilledIn -Label "Windows" -Checked -Id spWindows New-UDCheckbox -FilledIn -Label "Linux" -Id spLinux New-UDCheckbox -FilledIn -Label "macOS"-Id spMacOS } $executorRow = New-UDLayout -Columns 4 { New-UDSelectX 'executorSelector' "Executor for Attack Commands" New-UDCheckbox -ID elevationRequired -FilledIn -Label "Requires Elevation to Execute Successfully?" } $genarateYamlButton = New-UDRow -Columns { New-UDColumn -Size 8 -Content { } New-UDColumn -Size 4 -Content { New-UDButton -Text "Generate Test Definition YAML" -OnClick ( $epYamlModal ) } } ############## End Static Definitions ############## The Dashboard $idleTimeOut = New-TimeSpan -Minutes 10080 $db = New-UDDashboard -Title "Atomic Test Creation" -IdleTimeout $idleTimeOut -EndpointInitialization $ei -Content { New-UDCard -Id "mainCard" -Content { New-UDCard -Content { New-UDTextBoxX 'atomicName' "Atomic Test Name" New-UDTextAreaX "atomicDescription" "Atomic Test Description" $supportedPlatforms New-UDTextAreaX "attackCommands" "Attack Commands" $executorRow New-UDTextAreaX "cleanupCommands" "Cleanup Commands (Optional)" $genarateYamlButton } # input args New-UDCard -Id "inputCard" -Endpoint { New-UDButton -Text "Add Input Argument (Optional)" -OnClick ( New-UDEndpoint -Endpoint { Add-UDElement -ParentId "inputCard" -Content { New-InputArgCard } } ) } # prereqs New-UDCard -Id "depCard" -Endpoint { New-UDLayout -columns 4 { New-UDButton -Text "Add Prerequisite (Optional)" -OnClick ( New-UDEndpoint -Endpoint { Add-UDElement -ParentId "depCard" -Content { New-depCard } } ) New-UDSelectX 'preReqEx' "Executor for Prereq Commands" } } } # button to fill form with test data for development purposes if ($false) { New-UDButton -Text "Fill Test Data" -OnClick ( $epFillTestData ) } } ############## End of the Dashboard Stop-AtomicGUI Start-UDDashboard -port $port -Dashboard $db -Name "AtomicGUI" -ListenAddress 127.0.0.1 start-process http://localhost:$port } function Stop-AtomicGUI { Get-UDDashboard -Name 'AtomicGUI' | Stop-UDDashboard Write-Host "Stopped all AtomicGUI Dashboards" } 2be6acf6-3d12-4ca6-84eb-d128983fada3C:\AtomicRedTeam\invoke-atomicredteam\Public\Start-AtomicGUI.ps1 410615103150x0708487Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local211d329c-edc6-4f33-909b-ce40f4aa56902b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708486Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local211d329c-edc6-4f33-909b-ce40f4aa56902b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708485Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# The class definitions that these functions rely upon are located in Private\AtomicClassSchema.ps1 function New-AtomicTechnique { <# .SYNOPSIS Specifies a new atomic red team technique. The output of this function is designed to be piped directly to ConvertTo-Yaml, eliminating the need to work with YAML directly. .PARAMETER AttackTechnique Specifies one or more MITRE ATT&CK techniques that to which this technique applies. Per MITRE naming convention, an attack technique should start with "T" followed by a 4 digit number. The MITRE sub-technique format is also supported: TNNNN.NNN .PARAMETER DisplayName Specifies the name of the technique as defined by ATT&CK. Example: 'Audio Capture' .PARAMETER AtomicTests Specifies one or more atomic tests. Atomic tests are created using the New-AtomicTest function. .EXAMPLE $InputArg1 = New-AtomicTestInputArgument -Name filename -Description 'location of the payload' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.dll' $InputArg2 = New-AtomicTestInputArgument -Name source -Description 'location of the source code to compile' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.cs' $AtomicTest1 = New-AtomicTest -Name 'InstallUtil uninstall method call' -Description 'Executes the Uninstall Method' -SupportedPlatforms Windows -InputArguments @($InputArg1, $InputArg2) -ExecutorType CommandPrompt -ExecutorCommand @' C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} '@ # Note: the input arguments are identical for atomic test #1 and #2 $AtomicTest2 = New-AtomicTest -Name 'InstallUtil GetHelp method call' -Description 'Executes the Help property' -SupportedPlatforms Windows -InputArguments @($InputArg1, $InputArg2) -ExecutorType CommandPrompt -ExecutorCommand @' C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} '@ $AtomicTechnique = New-AtomicTechnique -AttackTechnique T1118 -DisplayName InstallUtil -AtomicTests $AtomicTest1, $AtomicTest2 # Everything is ready to convert to YAML now! $AtomicTechnique | ConvertTo-Yaml | Out-File T1118.yaml .OUTPUTS AtomicTechnique Outputs an object representing an atomic technique. The output of New-AtomicTechnique is designed to be piped to ConvertTo-Yaml. #> [CmdletBinding()] [OutputType([AtomicTechnique])] param ( [Parameter(Mandatory)] [String[]] $AttackTechnique, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $DisplayName, [Parameter(Mandatory)] [AtomicTest[]] [ValidateNotNull()] $AtomicTests ) $AtomicTechniqueInstance = [AtomicTechnique]::new() foreach ($Technique in $AttackTechnique) { # Attack techniques should match the MITRE ATT&CK [sub-]technique format. # This is not a requirement so just warn the user. if ($Technique -notmatch '^(?-i:T\d{4}(\.\d{3}){0,1})$') { Write-Warning "The following supplied attack technique does not start with 'T' followed by a four digit number: $Technique" } } $AtomicTechniqueInstance.attack_technique = $AttackTechnique $AtomicTechniqueInstance.display_name = $DisplayName $AtomicTechniqueInstance.atomic_tests = $AtomicTests return $AtomicTechniqueInstance } function New-AtomicTest { <# .SYNOPSIS Specifies an atomic test. .PARAMETER Name Specifies the name of the test that indicates how it tests the technique. .PARAMETER Description Specifies a long form description of the test. Markdown is supported. .PARAMETER SupportedPlatforms Specifies the OS/platform on which the test is designed to run. The following platforms are currently supported: Windows, macOS, Linux. A single test can support multiple platforms. .PARAMETER ExecutorType Specifies the the framework or application in which the test should be executed. The following executor types are currently supported: CommandPrompt, Sh, Bash, PowerShell. - CommandPrompt: The Windows Command Prompt, aka cmd.exe Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by cmd.exe. - PowerShell: PowerShell Requires the -ExecutorCommand argument to contain a multi-line PowerShell scriptblock that will be preprocessed and then executed by powershell.exe - Sh: Linux's bourne shell Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by sh. - Bash: Linux's bourne again shell Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by bash. .PARAMETER ExecutorElevationRequired Specifies that the test must run with elevated privileges. .PARAMETER ExecutorSteps Specifies a manual list of steps to execute. This should be specified when the atomic test cannot be executed in an automated fashion, for example when GUI steps are involved that cannot be automated. .PARAMETER ExecutorCommand Specifies the command to execute as part of the atomic test. This should be specified when the atomic test can be executed in an automated fashion. The -ExecutorType specified will dictate the command specified, e.g. PowerShell scriptblock code when the "PowerShell" ExecutorType is specified. .PARAMETER ExecutorCleanupCommand Specifies the command to execute if there are any artifacts that need to be cleaned up. .PARAMETER InputArguments Specifies one or more input arguments. Input arguments are defined using the New-AtomicTestInputArgument function. .PARAMETER DependencyExecutorType Specifies an override execution type for dependencies. By default, dependencies are executed using the framework specified in -ExecutorType. In most cases, 'PowerShell' is specified as a dependency executor type when 'CommandPrompt' is specified as an executor type. .PARAMETER Dependencies Specifies one or more dependencies. Dependencies are defined using the New-AtomicTestDependency function. .EXAMPLE $InputArg1 = New-AtomicTestInputArgument -Name filename -Description 'location of the payload' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.dll' $InputArg2 = New-AtomicTestInputArgument -Name source -Description 'location of the source code to compile' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.cs' $AtomicTest = New-AtomicTest -Name 'InstallUtil uninstall method call' -Description 'Executes the Uninstall Method' -SupportedPlatforms Windows -InputArguments $InputArg1, $InputArg2 -ExecutorType CommandPrompt -ExecutorCommand @' C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} '@ .OUTPUTS AtomicTest Outputs an object representing an atomic test. This object is intended to be supplied to the New-AtomicTechnique -AtomicTests parameter. The output of New-AtomicTest can be piped to ConvertTo-Yaml. The resulting output can be added to an existing atomic technique YAML doc. #> [CmdletBinding(DefaultParameterSetName = 'AutomatedExecutor')] [OutputType([AtomicTest])] param ( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Name, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Description, [Parameter(Mandatory)] [String[]] [ValidateSet('Windows', 'macOS', 'Linux')] $SupportedPlatforms, [Parameter(Mandatory, ParameterSetName = 'AutomatedExecutor')] [String] [ValidateSet('CommandPrompt', 'Sh', 'Bash', 'PowerShell')] $ExecutorType, [Switch] $ExecutorElevationRequired, [Parameter(Mandatory, ParameterSetName = 'ManualExecutor')] [String] [ValidateNotNullOrEmpty()] $ExecutorSteps, [Parameter(Mandatory, ParameterSetName = 'AutomatedExecutor')] [String] [ValidateNotNullOrEmpty()] $ExecutorCommand, [String] [ValidateNotNullOrEmpty()] $ExecutorCleanupCommand, [AtomicInputArgument[]] $InputArguments, [String] [ValidateSet('CommandPrompt', 'Sh', 'Bash', 'PowerShell')] $DependencyExecutorType, [AtomicDependency[]] $Dependencies ) $AtomicTestInstance = [AtomicTest]::new() $AtomicTestInstance.name = $Name $AtomicTestInstance.description = $Description $AtomicTestInstance.supported_platforms = $SupportedPlatforms | ForEach-Object { $_.ToLower() } $StringsWithPotentialInputArgs = New-Object -TypeName 'System.Collections.Generic.List`1[String]' switch ($PSCmdlet.ParameterSetName) { 'AutomatedExecutor' { $ExecutorInstance = [AtomicExecutorDefault]::new() $ExecutorInstance.command = $ExecutorCommand $StringsWithPotentialInputArgs.Add($ExecutorCommand) } 'ManualExecutor' { $ExecutorInstance = [AtomicExecutorManual]::new() $ExecutorInstance.steps = $ExecutorSteps $StringsWithPotentialInputArgs.Add($ExecutorSteps) } } switch ($ExecutorType) { 'CommandPrompt' { $ExecutorInstance.name = 'command_prompt' } default { $ExecutorInstance.name = $ExecutorType.ToLower() } } if ($ExecutorCleanupCommand) { $ExecutorInstance.cleanup_command = $ExecutorCleanupCommand $StringsWithPotentialInputArgs.Add($ExecutorCleanupCommand) } if ($ExecutorElevationRequired) { $ExecutorInstance.elevation_required = $True } if ($Dependencies) { foreach ($Dependency in $Dependencies) { $StringsWithPotentialInputArgs.Add($Dependency.description) $StringsWithPotentialInputArgs.Add($Dependency.prereq_command) $StringsWithPotentialInputArgs.Add($Dependency.get_prereq_command) } } if ($DependencyExecutorType) { switch ($DependencyExecutorType) { 'CommandPrompt' { $AtomicTestInstance.dependency_executor_name = 'command_prompt' } default { $AtomicTestInstance.dependency_executor_name = $DependencyExecutorType.ToLower() } } } $AtomicTestInstance.dependencies = $Dependencies [Hashtable] $InputArgHashtable = @{ } if ($InputArguments.Count) { # Determine if any of the input argument names repeat. They must be unique. $InputArguments | Group-Object -Property Name | Where-Object { $_.Count -gt 1 } | ForEach-Object { Write-Error "There are $($_.Count) instances of the $($_.Name) input argument. Input argument names must be unique." return } # Convert each input argument to a hashtable where the key is the Name property. foreach ($InputArg in $InputArguments) { # Create a copy of the passed input argument that doesn't include the "Name" property. # Passing in a shallow copy adversely affects YAML serialization for some reason. $NewInputArg = [AtomicInputArgument]::new() $NewInputArg.default = $InputArg.default $NewInputArg.description = $InputArg.description $NewInputArg.type = $InputArg.type $InputArgHashtable[$InputArg.Name] = $NewInputArg } $AtomicTestInstance.input_arguments = $InputArgHashtable } # Extract all specified input arguments from executor and any dependencies. $Regex = [Regex] '#\{(?<ArgName>[^}]+)\}' [String[]] $InputArgumentNamesFromExecutor = $StringsWithPotentialInputArgs | ForEach-Object { $Regex.Matches($_) } | Select-Object -ExpandProperty Groups | Where-Object { $_.Name -eq 'ArgName' } | Select-Object -ExpandProperty Value | Sort-Object -Unique # Validate that all executor arguments are defined as input arguments if ($InputArgumentNamesFromExecutor.Count) { $InputArgumentNamesFromExecutor | ForEach-Object { if ($InputArgHashtable.Keys -notcontains $_) { Write-Error "The following input argument was specified but is not defined: '$_'" return } } } # Validate that all defined input args are utilized at least once in the executor. if ($InputArgHashtable.Keys.Count) { $InputArgHashtable.Keys | ForEach-Object { if ($InputArgumentNamesFromExecutor -notcontains $_) { # Write a warning since this scenario is not considered a breaking change Write-Warning "The following input argument is defined but not utilized: '$_'." } } } $AtomicTestInstance.executor = $ExecutorInstance return $AtomicTestInstance } function New-AtomicTestDependency { <# .SYNOPSIS Specifies a new dependency that must be met prior to execution of an atomic test. .PARAMETER Description Specifies a human-readable description of the dependency. This should be worded in the following form: SOMETHING must SOMETHING .PARAMETER PrereqCommand Specifies commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. .PARAMETER GetPrereqCommand Specifies commands to meet this prerequisite or a message describing how to meet this prereq More specifically, this command is designed to satisfy either of the following conditions: 1) If a prerequisite is not met, perform steps necessary to satify the prerequisite. Such a command should be implemented when prerequisites can be satisfied in an automated fashion. 2) If a prerequisite is not met, inform the user what the steps are to satisfy the prerequisite. Such a message should be presented to the user in the case that prerequisites cannot be satisfied in an automated fashion. .EXAMPLE $Dependency = New-AtomicTestDependency -Description 'Folder to zip must exist (#{input_file_folder})' -PrereqCommand 'test -e #{input_file_folder}' -GetPrereqCommand 'echo Please set input_file_folder argument to a folder that exists' .OUTPUTS AtomicDependency Outputs an object representing an atomic test dependency. This object is intended to be supplied to the New-AtomicTest -Dependencies parameter. Note: due to a bug in PowerShell classes, the get_prereq_command property will not display by default. If all fields must be explicitly displayed, they can be viewed by piping output to "Select-Object description, prereq_command, get_prereq_command". #> [CmdletBinding()] [OutputType([AtomicDependency])] param ( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Description, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $PrereqCommand, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $GetPrereqCommand ) $DependencyInstance = [AtomicDependency]::new() $DependencyInstance.description = $Description $DependencyInstance.prereq_command = $PrereqCommand $DependencyInstance.get_prereq_command = $GetPrereqCommand return $DependencyInstance } function New-AtomicTestInputArgument { <# .SYNOPSIS Specifies an input to an atomic test that is a requirement to run the test (think of these like function arguments). .PARAMETER Name Specifies the name of the input argument. This must be lowercase and can optionally, have underscores. The input argument name is what is specified as arguments within executors and dependencies. .PARAMETER Description Specifies a human-readable description of the input argument. .PARAMETER Type Specifies the data type of the input argument. The following data types are supported: Path, Url, String, Integer, Float. If an alternative data type must be supported, use the -TypeOverride parameter. .PARAMETER TypeOverride Specifies an unsupported input argument data type. Specifying this parameter should not be common. .PARAMETER Default Specifies a default value for an input argument if one is not specified via the Invoke-AtomicTest -InputArgs parameter. .EXAMPLE $AtomicInputArgument = New-AtomicTestInputArgument -Name 'rar_exe' -Type Path -Description 'The RAR executable from Winrar' -Default '%programfiles%\WinRAR\Rar.exe' .OUTPUTS AtomicInputArgument Outputs an object representing an atomic test input argument. This object is intended to be supplied to the New-AtomicTest -InputArguments parameter. #> [CmdletBinding(DefaultParameterSetName = 'PredefinedType')] [OutputType([AtomicInputArgument])] param ( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Name, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Description, [Parameter(Mandatory, ParameterSetName = 'PredefinedType')] [String] [ValidateSet('Path', 'Url', 'String', 'Integer', 'Float')] $Type, [Parameter(Mandatory, ParameterSetName = 'TypeOverride')] [String] [ValidateNotNullOrEmpty()] $TypeOverride, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Default ) if ($Name -notmatch '^(?-i:[0-9a-z_]+)$') { Write-Error "Input argument names must be lowercase and optionally, contain underscores. Input argument name supplied: $Name" return } $AtomicInputArgInstance = [AtomicInputArgument]::new() $AtomicInputArgInstance.description = $Description $AtomicInputArgInstance.default = $Default if ($Type) { $AtomicInputArgInstance.type = $Type # Validate input argument types when it makes sense to do so. switch ($Type) { 'Url' { if (-not [Uri]::IsWellFormedUriString($Type, [UriKind]::RelativeOrAbsolute)) { Write-Warning "The specified Url is not properly formatted: $Type" } } 'Integer' { if (-not [Int]::TryParse($Type, [Ref] $null)) { Write-Warning "The specified Int is not properly formatted: $Type" } } 'Float' { if (-not [Double]::TryParse($Type, [Ref] $null)) { Write-Warning "The specified Float is not properly formatted: $Type" } } # The following supported data types do not make sense to validate: # 'Path' { } # 'String' { } } } else { $AtomicInputArgInstance.type = $TypeOverride } # Add Name as a note property since the Name property cannot be defined in the AtomicInputArgument # since it must be stored as a hashtable where the name is the key. Fortunately, ConvertTo-Yaml # won't convert note properties during serialization. $InputArgument = Add-Member -InputObject $AtomicInputArgInstance -MemberType NoteProperty -Name Name -Value $Name -PassThru return $InputArgument } 211d329c-edc6-4f33-909b-ce40f4aa5690C:\AtomicRedTeam\invoke-atomicredteam\Public\New-Atomic.ps1 410615103150x0708484Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6286ab8a-bdac-4979-8d03-db484ef8daa72b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708483Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6286ab8a-bdac-4979-8d03-db484ef8daa72b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708482Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-WebRequestVerifyHash ($url, $outfile, $hash) { $success = $false $null = @( New-Item -ItemType Directory (Split-Path $outfile) -Force | Out-Null $ms = New-Object IO.MemoryStream [Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12) (New-Object System.Net.WebClient).OpenRead($url).copyto($ms) $ms.seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null $actualHash = (Get-FileHash -InputStream $ms).Hash if ( $hash -eq $actualHash) { $ms.seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null $fileStream = New-Object IO.FileStream $outfile, ([System.IO.FileMode]::Create) $ms.CopyTo($fileStream); $fileStream.Close() $success = $true } else { Write-Host -ForegroundColor red "File hash mismatch, expected: $hash, actual: $actualHash" } ) $success } 6286ab8a-bdac-4979-8d03-db484ef8daa7C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-WebRequestVerifyHash.ps1 410615103150x0708481Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local636ad392-c610-47be-942b-1be5cc09afd62b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708480Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local636ad392-c610-47be-942b-1be5cc09afd62b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708479Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-SetupAtomicRunner { # ensure running with admin privs if ($artConfig.OS -eq "windows") { # auto-elevate on Windows $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent()) $testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if ($testadmin -eq $false) { Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition)) exit $LASTEXITCODE } } else { # linux and macos check - doesn't auto-elevate if ((id -u) -ne 0 ) { Throw "You must run the Invoke-SetupAtomicRunner script as root" exit } } if ($artConfig.basehostname.length -gt 15) { Throw "The hostname for this machine (minus the GUID) must be 15 characters or less. Please rename this computer." } #create AtomicRunner-Logs directories if they don't exist New-Item -ItemType Directory $artConfig.atomicLogsPath -ErrorAction Ignore New-Item -ItemType Directory $artConfig.runnerFolder -ErrorAction Ignore if ($artConfig.gmsaAccount) { Start-Service WinRM $path = Join-Path $env:ProgramFiles "WindowsPowerShell\Modules\RenameRunner\RoleCapabilities" New-Item -ItemType Directory $path -ErrorAction Ignore New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -GroupManagedServiceAccount $artConfig.gmsaAccount -RoleDefinitions @{ "$($artConfig.user)" = @{ 'RoleCapabilities' = 'RenameRunner' } } -path "$env:Temp\RenameRunner.pssc" New-PSRoleCapabilityFile -VisibleCmdlets @{ 'Name' = 'Rename-Computer'; 'Parameters' = @{ 'Name' = 'NewName'; 'ValidatePattern' = 'ATOMICSOC.*' }, @{ 'Name' = 'Force' }, @{ 'Name' = 'restart' } } -path "$path\RenameRunner.psrc" $null = Register-PSSessionConfiguration -name "RenameRunnerEndpoint" -path "$env:Temp\RenameRunner.pssc" -force Add-LocalGroupMember "administrators" "$($artConfig.gmsaAccount)$" -ErrorAction Ignore # Make sure WinRM is enabled and set to Automic start (not delayed) Set-ItemProperty hklm:\\SYSTEM\CurrentControlSet\Services\WinRM -Name Start -Value 2 Set-ItemProperty hklm:\\SYSTEM\CurrentControlSet\Services\WinRM -Name DelayedAutostart -Value 0 # default is delayed start and that is too slow given our 1 minute delay on our kickoff task # this registry key must be set to zero for things to work get-itemproperty hklm:\Software\Policies\Microsoft\Windows\WinRM\Service\ $hklmKey = (get-itemproperty hklm:\Software\Policies\Microsoft\Windows\WinRM\Service -name DisableRunAs -ErrorAction ignore).DisableRunAs $hkcuKey = (get-itemproperty hkcu:\Software\Policies\Microsoft\Windows\WinRM\Service -name DisableRunAs -ErrorAction ignore).DisableRunAs if ((1 -eq $hklmKey) -or (1 -eq $hkcuKey)) { Write-Host -ForegroundColor Red "DisableRunAs registry Key will not allow use of the JEA endpoint with a gmsa account" } if ((Get-ItemProperty hklm:\System\CurrentControlSet\Control\Lsa\ -name DisableDomainCreds).DisableDomainCreds) { Write-Host -ForegroundColor Red "Do not allow storage of passwords and credentials for network authentication must be disabled" } } if ($artConfig.OS -eq "windows") { if (Test-Path $artConfig.credFile) { Write-Host "Credential File $($artConfig.credFile) already exists, not prompting for creation of a new one." $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $artConfig.user, (Get-Content $artConfig.credFile | ConvertTo-SecureString) } else { # create credential file for the user since we aren't using a group managed service account $cred = Get-Credential -UserName $artConfig.user -message "Enter password for $($artConfig.user) in order to create the runner scheduled task" $cred.Password | ConvertFrom-SecureString | Out-File $artConfig.credFile } # setup scheduled task that will start the runner after each restart # local security policy --> Local Policies --> Security Options --> Network access: Do not allow storage of passwords and credentials for network authentication must be disabled $taskName = "KickOff-AtomicRunner" Unregister-ScheduledTask $taskName -confirm:$false -ErrorAction Ignore # Windows scheduled task includes a 20 minutes sleep then restart if the call to Invoke-KickoffAtomicRunner fails # this occurs occassionally when Windows has issues logging into the runner user's account and logs in as a TEMP user $taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-exec bypass -Command Invoke-KickoffAtomicRunner; Start-Sleep 1200; Restart-Computer -Force" $taskPrincipal = New-ScheduledTaskPrincipal -UserId $artConfig.user $delays = @(1, 2, 4, 8, 16, 32, 64) # using multiple triggers as a retry mechanism because the built-in retry mechanism doesn't work when the computer renaming causes AD replication delays $triggers = @() foreach ($delay in $delays) { $trigger = New-ScheduledTaskTrigger -AtStartup $trigger.Delay = "PT$delay`M" $triggers += $trigger } $task = New-ScheduledTask -Action $taskAction -Principal $taskPrincipal -Trigger $triggers -Description "A task that runs 1 minute or later after boot to start the atomic test runner script" try { $null = Register-ScheduledTask -TaskName $taskName -InputObject $task -User $artConfig.user -Password $($cred.GetNetworkCredential().password) -ErrorAction Stop } catch { if ($_.CategoryInfo.Category -eq "AuthenticationError") { # remove the credential file if the password didn't work Write-Error "The credentials you entered are incorrect. Please run the setup script again and double check the username and password." Remove-Item $artConfig.credFile } else { Throw $_ } } } else { # sets cronjob string using basepath from config.ps1 $pwshPath = which pwsh $job = "@reboot root sleep 60;$pwshPath -Command Invoke-KickoffAtomicRunner" $exists = cat /etc/crontab | Select-String -Quiet "KickoffAtomicRunner" #checks if the Kickoff-AtomicRunner job exists. If not appends it to the system crontab. if ($null -eq $exists) { $(Write-Output "$job" >> /etc/crontab) write-host "setting cronjob" } else { write-host "cronjob already exists" } } # Add Import-Module statement to the PowerShell profile $root = Split-Path $PSScriptRoot -Parent $pathToPSD1 = Join-Path $root "Invoke-AtomicRedTeam.psd1" $importStatement = "Import-Module ""$pathToPSD1"" -Force" New-Item $PROFILE -ErrorAction Ignore $profileContent = Get-Content $profile $line = $profileContent | Select-String ".*import-module.*invoke-atomicredTeam.psd1" | Select-Object -ExpandProperty Line if ($line) { $profileContent | ForEach-Object { $_.replace( $line, "$importStatement") } | Set-Content $profile } else { Add-Content $profile $importStatement } # Install the Posh-SYLOG module if we are configured to use it and it is not already installed if ((-not (Get-Module -ListAvailable "Posh-SYSLOG")) -and [bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort) { write-verbose "Posh-SYSLOG" Install-Module -Name Posh-SYSLOG -Scope CurrentUser -Force } # create the CSV schedule of atomics to run if it doesn't exist if (-not (Test-Path $artConfig.scheduleFile)) { Invoke-GenerateNewSchedule } $schedule = Get-Schedule if ($null -eq $schedule) { Write-Host -ForegroundColor Yellow "There are no tests enabled on the schedule, set the 'Enabled' column to 'True' for the atomic test that you want to run. The schedule file is found here: $($artConfig.scheduleFile)" Write-Host -ForegroundColor Yellow "Rerun this setup script after updating the schedule" } else { # Get the prereqs for all of the tests on the schedule Invoke-AtomicRunner -GetPrereqs } } 636ad392-c610-47be-942b-1be5cc09afd6C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-SetupAtomicRunner.ps1 410615103150x0708478Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708477Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708476Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local994e1dfa-fe05-4345-a6fe-e46779aaf9bf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708475Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local994e1dfa-fe05-4345-a6fe-e46779aaf9bf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708474Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-KickoffAtomicRunner { #log rotation function function Rotate-Log { Param ($logPath, $max_filesize, $max_age) $datetime = Get-Date -uformat "%Y-%m-%d-%H%M" $log = Get-Item $logPath if ($log.Length / 1MB -ge $max_filesize) { Write-Host "file named $($log.name) is bigger than $max_filesize MB" $newname = "$($log.Name)_${datetime}.arclog" Rename-Item $log.PSPath $newname Write-Host "Done rotating file" } $logdir_content = Get-ChildItem $artConfig.atomicLogsPath -filter "*.arclog" $cutoff_date = (get-date).AddDays($max_age) $logdir_content | ForEach-Object { if ($_.LastWriteTime -gt $cutoff_date) { Remove-Item $_ Write-Host "Removed $($_.PSPath)" } } } #Create log files as needed $all_log_file = Join-Path $artConfig.atomicLogsPath "all-out-$($artConfig.basehostname).txt" New-Item $all_log_file -ItemType file -ErrorAction Ignore New-Item $artConfig.logFile -ItemType File -ErrorAction Ignore #Rotate logs based on FileSize and Date max_filesize $max_filesize = 200 #in MB $max_file_age = 30 #in days Rotate-Log $all_log_file $max_filesize $max_file_age Rotate-Log $artConfig.logFile $max_filesize $max_file_age #no need to repeat this. Can reduce further. # Optional additional delay before starting Start-Sleep $artConfig.kickOffDelay.TotalSeconds if ($artConfig.debug) { Invoke-AtomicRunner *>> $all_log_file } else { Invoke-AtomicRunner } } function LogRunnerMsg ($message) { $now = "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date) Write-Host -fore cyan $message Add-Content $artConfig.logFile "$now`: $message" } 994e1dfa-fe05-4345-a6fe-e46779aaf9bfC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-KickoffAtomicRunner.ps1 410615103150x0708473Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local68f7d6e8-6dfe-4d06-b726-910f635d2ab12b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708472Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local68f7d6e8-6dfe-4d06-b726-910f635d2ab12b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708471Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-FetchFromZip { Param( [Parameter(Mandatory = $true, Position = 0)] [String] $zipUrl, [Parameter(Mandatory = $true, Position = 1)] [String] $targetFilter, # files that match this filter will be copied to the destinationPath, retaining their folder path from the zip [Parameter(Mandatory = $true, Position = 2)] [String] $destinationPath ) # load ZIP methods Add-Type -AssemblyName System.IO.Compression.FileSystem [System.Reflection.Assembly]::LoadWithPartialName('System.IO.Compression') | Out-Null # read zip archive into memory $ms = New-Object IO.MemoryStream [Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12) (New-Object System.Net.WebClient).OpenRead($zipUrl).copyto($ms) $Zip = New-Object System.IO.Compression.ZipArchive($ms) # ensure the output folder exists $parent = split-path $destinationPath $exists = Test-Path -Path $parent if ($exists -eq $false) { $null = New-Item -Path $destinationPath -ItemType Directory -Force } # find all files in ZIP that match the filter (i.e. file extension) $zip.Entries | Where-Object { ($_.FullName -like $targetFilter) } | ForEach-Object { # extract the selected items from the ZIP archive # and copy them to the out folder $dstDir = Join-Path $destinationPath ($_.FullName | split-path | split-path -Leaf) New-Item -ItemType Directory -Force -Path $dstDir | Out-Null [System.IO.Compression.ZipFileExtensions]::ExtractToFile($_, (Join-Path $dstDir $_.Name), $true) } $zip.Dispose() } 68f7d6e8-6dfe-4d06-b726-910f635d2ab1C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-FetchFromZip.ps1 410615103150x0708470Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald1c3f0cf-ced9-4b25-a415-135e73441fbe2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708469Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald1c3f0cf-ced9-4b25-a415-135e73441fbe2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708468Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local22ecutionPlatform -eq "windows" -and ($test.executor.name -eq "sh" -or $test.executor.name -eq "bash")) { Write-Verbose -Message "Unable to run sh or bash on $executionPlatform" continue } if ( ("linux", "macos") -contains $executionPlatform -and $test.executor.name -eq "command_prompt") { Write-Verbose -Message "Unable to run cmd.exe on $executionPlatform" continue } } if ($null -ne $TestNumbers) { if (-Not ($TestNumbers -contains $testCount) ) { continue } } if ($null -ne $TestNames) { if (-Not ($TestNames -contains $test.name) ) { continue } } if ($null -ne $TestGuids) { if (-Not ($TestGuids -contains $test.auto_generated_guid) ) { continue } } $props = @{ Activity = 'Running Atomic Tests' Status = 'Progress:' PercentComplete = ($testCount / ($technique.atomic_tests).Count * 100) } Write-Progress @props Write-Verbose -Message 'Determining manual tests' if ($test.executor.name.Contains('manual')) { Write-Verbose -Message 'Unable to run manual tests' continue } $numAtomicsApplicableToPlatform++ $testId = "$AT-$testCount $($test.name)" if ($ShowDetailsBrief) { Write-KeyValue $testId continue } if ($PromptForInputArgs) { $InputArgs = Invoke-PromptForInputArgs $test.input_arguments } if ($ShowDetails) { Show-Details $test $testCount $technique $InputArgs $PathToPayloads continue } Write-Debug -Message 'Gathering final Atomic test command' if ($CheckPrereqs) { Write-KeyValue "CheckPrereq's for: " $testId $failureReasons = Invoke-CheckPrereqs $test $isElevated $executionPlatform $InputArgs $PathToPayloads $TimeoutSeconds $session Write-PrereqResults $FailureReasons $testId } elseif ($GetPrereqs) { if ($(Test-IncludesTerraform $AT $testCount)) { Build-TFVars $AT $testCount $InputArgs } Write-KeyValue "GetPrereq's for: " $testId if ( $test.executor.elevation_required -and -not $isElevated) { Write-Host -ForegroundColor Red "Elevation required but not provided" } if ($nul -eq $test.dependencies) { Write-KeyValue "No Preqs Defined"; continue } foreach ($dep in $test.dependencies) { $executor = Get-PrereqExecutor $test $description = (Merge-InputArgs $dep.description $test $InputArgs $PathToPayloads).trim() Write-KeyValue "Attempting to satisfy prereq: " $description $final_command_prereq = Merge-InputArgs $dep.prereq_command $test $InputArgs $PathToPayloads if ($executor -ne "powershell") { $final_command_prereq = ($final_command_prereq.trim()).Replace("`n", " && ") } $final_command_get_prereq = Merge-InputArgs $dep.get_prereq_command $test $InputArgs $PathToPayloads $res = Invoke-ExecuteCommand $final_command_prereq $executor $executionPlatform $TimeoutSeconds $session -Interactive:$true if ($res.ExitCode -eq 0) { Write-KeyValue "Prereq already met: " $description } else { $res = Invoke-ExecuteCommand $final_command_get_prereq $executor $executionPlatform $TimeoutSeconds $session -Interactive:$Interactive $res = Invoke-ExecuteCommand $final_command_prereq $executor $executionPlatform $TimeoutSeconds $session -Interactive:$true if ($res.ExitCode -eq 0) { Write-KeyValue "Prereq successfully met: " $description } else { Write-Host -ForegroundColor Red "Failed to meet prereq: $description" } } } } elseif ($Cleanup) { Write-KeyValue "Executing cleanup for test: " $testId $final_command = Merge-InputArgs $test.executor.cleanup_command $test $InputArgs $PathToPayloads if (Get-Command 'Invoke-ARTPreAtomicCleanupHook' -errorAction SilentlyContinue) { Invoke-ARTPreAtomicCleanupHook $test $InputArgs } $res = Invoke-ExecuteCommand $final_command $test.executor.name $executionPlatform $TimeoutSeconds $session -Interactive:$Interactive Write-KeyValue "Done executing cleanup for test: " $testId if (Get-Command 'Invoke-ARTPostAtomicCleanupHook' -errorAction SilentlyContinue) { Invoke-ARTPostAtomicCleanupHook $test $InputArgs } if ($(Test-IncludesTerraform $AT $testCount)) { Remove-TerraformFiles $AT $testCount } } else { Write-KeyValue "Executing test: " $testId $startTime = Get-Date $final_command = Merge-InputArgs $test.executor.command $test $InputArgs $PathToPayloads if (Get-Command 'Invoke-ARTPreAtomicHook' -errorAction SilentlyContinue) { Invoke-ARTPreAtomicHook $test $InputArgs } $res = Invoke-ExecuteCommand $final_command $test.executor.name $executionPlatform $TimeoutSeconds $session -Interactive:$Interactive Write-Host "Exit code: $($res.ExitCode)" if (Get-Command 'Invoke-ARTPostAtomicHook' -errorAction SilentlyContinue) { Invoke-ARTPostAtomicHook $test $InputArgs } $stopTime = Get-Date if ($isLoggingModuleSet) { &"$LoggingModule\Write-ExecutionLog" $startTime $stopTime $AT $testCount $test.name $test.auto_generated_guid $test.executor.name $test.description $final_command $ExecutionLogPath $executionHostname $executionUser $res (-Not($IsLinux -or $IsMacOS)) } Write-KeyValue "Done executing test: " $testId } } # End of foreach Test in single Atomic Technique } # End of foreach Technique in Atomic Tests if ($numAtomicsApplicableToPlatform -eq 0) { Write-Host -ForegroundColor Yellow "Found $numAtomicsApplicableToPlatform atomic tests applicable to $executionPlatform platform for Technique $techniqueString" } } # End of Invoke-AtomicTestSingle function if ($AtomicTechnique -eq "All") { function Invoke-AllTests() { $AllAtomicTests = New-Object System.Collections.ArrayList Get-ChildItem $PathToAtomicsFolder -Directory -Filter T* | ForEach-Object { $currentTechnique = [System.IO.Path]::GetFileName($_.FullName) if ( $currentTechnique -match "T[0-9]{4}.?([0-9]{3})?" ) { $AllAtomicTests.Add($currentTechnique) | Out-Null } } $AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTestSingle $_ } } if ( ($Force -or $CheckPrereqs -or $ShowDetails -or $ShowDetailsBrief -or $GetPrereqs) -or $psCmdlet.ShouldContinue( 'Do you wish to execute all tests?', "Highway to the danger zone, Executing All Atomic Tests!" ) ) { Invoke-AllTests } } else { Invoke-AtomicTestSingle $AtomicTechnique } if ($isLoggingModuleSet) { &"$LoggingModule\Stop-ExecutionLog" $startTime $ExecutionLogPath $executionHostname $executionUser (-Not($IsLinux -or $IsMacOS)) } } # End of PROCESS block END { } # Intentionally left blank and can be removed } d1c3f0cf-ced9-4b25-a415-135e73441fbeC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicTest.ps1 4104152150x0708467Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local12function Invoke-AtomicTest { [CmdletBinding(DefaultParameterSetName = 'technique', SupportsShouldProcess = $true, PositionalBinding = $false, ConfirmImpact = 'Medium')] Param( [Parameter(Mandatory = $true, Position = 0, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [ValidateNotNullOrEmpty()] [String[]] $AtomicTechnique, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $ShowDetails, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $ShowDetailsBrief, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $anyOS, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String[]] $TestNumbers, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String[]] $TestNames, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String[]] $TestGuids, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] $PathToAtomicsFolder = $( if ($IsLinux -or $IsMacOS) { $Env:HOME + "/AtomicRedTeam/atomics" } else { $env:HOMEDRIVE + "\AtomicRedTeam\atomics" }), [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $CheckPrereqs = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $PromptForInputArgs = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $GetPrereqs = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $Cleanup = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [switch] $NoExecutionLog = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] $ExecutionLogPath = $( if ($IsLinux -or $IsMacOS) { "/tmp/Invoke-AtomicTest-ExecutionLog.csv" } else { "$env:TEMP\Invoke-AtomicTest-ExecutionLog.csv" }), [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [switch] $Force, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [HashTable] $InputArgs, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [Int] $TimeoutSeconds = 120, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [System.Management.Automation.Runspaces.PSSession[]]$Session, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $Interactive = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $KeepStdOutStdErrFiles = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] $LoggingModule, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [switch] $SupressPathToAtomicsFolder = $false ) BEGIN { } # Intentionally left blank and can be removed PROCESS { $PathToAtomicsFolder = (Resolve-Path $PathToAtomicsFolder).Path Write-Verbose -Message 'Attempting to run Atomic Techniques' if (-not $supressPathToAtomicsFolder) { Write-Host -ForegroundColor Cyan "PathToAtomicsFolder = $PathToAtomicsFolder`n" } $executionPlatform, $isElevated, $tmpDir, $executionHostname, $executionUser = Get-TargetInfo $Session $PathToPayloads = if ($Session) { "$tmpDir`AtomicRedTeam" } else { $PathToAtomicsFolder } # Since there might a comma(T1559-1,2,3) Powershell takes it as array. # So converting it back to string. if ($AtomicTechnique -is [array]) { $AtomicTechnique = $AtomicTechnique -join "," } # Splitting Atomic Technique short form into technique and test numbers. $AtomicTechniqueParams = ($AtomicTechnique -split '-') $AtomicTechnique = $AtomicTechniqueParams[0] if ($AtomicTechniqueParams.Length -gt 1) { $ShortTestNumbers = $AtomicTechniqueParams[-1] } if ($null -eq $TestNumbers -and $null -ne $ShortTestNumbers) { $TestNumbers = $ShortTestNumbers -split ',' } $isLoggingModuleSet = $false if (-not $NoExecutionLog) { $isLoggingModuleSet = $true if (-not $PSBoundParameters.ContainsKey('LoggingModule')) { # no logging module explicitly set # syslog logger $syslogOptionsSet = [bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort if ( $artConfig.LoggingModule -eq "Syslog-ExecutionLogger" -or (($artConfig.LoggingModule -eq '') -and $syslogOptionsSet) ) { if ($syslogOptionsSet) { $LoggingModule = "Syslog-ExecutionLogger" } else { Write-Host -Fore Yellow "Config.ps1 specified: Syslog-ExecutionLogger, but the syslogServer and syslogPort must be specified. Using the default logger instead" $LoggingModule = "Default-ExecutionLogger" } } elseif (-not [bool]$artConfig.LoggingModule) { # loggingModule is blank (not set), so use the default logger $LoggingModule = "Default-ExecutionLogger" } else { $LoggingModule = $artConfig.LoggingModule } } } if ($isLoggingModuleSet) { if (Get-Module -name $LoggingModule) { Write-Verbose "Using Logger: $LoggingModule" } else { Write-Host -Fore Yellow "Logger not found: ", $LoggingModule } # Change the defult logFile extension from csv to json and add a timestamp if using the Attire-ExecutionLogger if ($LoggingModule -eq "Attire-ExecutionLogger") { $ExecutionLogPath = $ExecutionLogPath.Replace("Invoke-AtomicTest-ExecutionLog.csv", "Invoke-AtomicTest-ExecutionLog-timestamp.json") } $ExecutionLogPath = $ExecutionLogPath.Replace("timestamp", $(Get-Date -UFormat %s)) if (Get-Command "$LoggingModule\Start-ExecutionLog" -erroraction silentlycontinue) { if (Get-Command "$LoggingModule\Write-ExecutionLog" -erroraction silentlycontinue) { if (Get-Command "$LoggingModule\Stop-ExecutionLog" -erroraction silentlycontinue) { Write-Verbose "All logging commands found" } else { Write-Host "Stop-ExecutionLog not found or loaded from the wrong module" return } } else { Write-Host "Write-ExecutionLog not found or loaded from the wrong module" return } } else { Write-Host "Start-ExecutionLog not found or loaded from the wrong module" return } # Here we're rebuilding an equivalent command line to put in the logs $commandLine = "Invoke-AtomicTest $AtomicTechnique" if ($ShowDetails -ne $false) { $commandLine = "$commandLine -ShowDetails $ShowDetails" } if ($ShowDetailsBrief -ne $false) { $commandLine = "$commandLine -ShowDetailsBrief $ShowDetailsBrief" } if ($null -ne $TestNumbers) { $commandLine = "$commandLine -TestNumbers $TestNumbers" } if ($null -ne $TestNames) { $commandLine = "$commandLine -TestNames $TestNames" } if ($null -ne $TestGuids) { $commandLine = "$commandLine -TestGuids $TestGuids" } $commandLine = "$commandLine -PathToAtomicsFolder $PathToAtomicsFolder" if ($CheckPrereqs -ne $false) { $commandLine = "$commandLine -CheckPrereqs $CheckPrereqs" } if ($PromptForInputArgs -ne $false) { $commandLine = "$commandLine -PromptForInputArgs $PromptForInputArgs" } if ($GetPrereqs -ne $false) { $commandLine = "$commandLine -GetPrereqs $GetPrereqs" } if ($Cleanup -ne $false) { $commandLine = "$commandLine -Cleanup $Cleanup" } if ($NoExecutionLog -ne $false) { $commandLine = "$commandLine -NoExecutionLog $NoExecutionLog" } $commandLine = "$commandLine -ExecutionLogPath $ExecutionLogPath" if ($Force -ne $false) { $commandLine = "$commandLine -Force $Force" } if ($InputArgs -ne $null) { $commandLine = "$commandLine -InputArgs $InputArgs" } $commandLine = "$commandLine -TimeoutSeconds $TimeoutSeconds" if ($PSBoundParameters.ContainsKey('Session')) { if ( $null -eq $Session ) { Write-Error "The provided session is null and cannot be used." continue } else { $commandLine = "$commandLine -Session $Session" } } if ($Interactive -ne $false) { $commandLine = "$commandLine -Interactive $Interactive" } if ($KeepStdOutStdErrFiles -ne $false) { $commandLine = "$commandLine -KeepStdOutStdErrFiles $KeepStdOutStdErrFiles" } if ($null -ne $LoggingModule) { $commandLine = "$commandLine -LoggingModule $LoggingModule" } $startTime = Get-Date &"$LoggingModule\Start-ExecutionLog" $startTime $ExecutionLogPath $executionHostname $executionUser $commandLine (-Not($IsLinux -or $IsMacOS)) } function Platform-IncludesCloud { $cloud = ('office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp') foreach ($platform in $test.supported_platforms) { if ($cloud -contains $platform) { return $true } } return $false } function Test-IncludesTerraform($AT, $testCount) { $AT = $AT.ToUpper() $pathToTerraform = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount\$AT-$testCount.tf" $cloud = ('iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp') foreach ($platform in $test.supported_platforms) { if ($cloud -contains $platform) { return $(Test-Path -Path $pathToTerraform) } } return $false } function Build-TFVars($AT, $testCount, $InputArgs) { $tmpDirPath = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount" if ($InputArgs) { $destinationVarsPath = Join-Path "$tmpDirPath" "terraform.tfvars.json" $InputArgs | ConvertTo-Json | Out-File -FilePath $destinationVarsPath } } function Remove-TerraformFiles($AT, $testCount) { $tmpDirPath = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount" Write-Host $tmpDirPath $tfStateFile = Join-Path $tmpDirPath "terraform.tfstate" $tfvarsFile = Join-Path $tmpDirPath "terraform.tfvars.json" if ($(Test-Path $tfvarsFile)) { Remove-Item -LiteralPath $tfvarsFile -Force } if ($(Test-Path $tfStateFile)) { (Get-ChildItem -Path $tmpDirPath).Fullname -match "terraform.tfstate*" | Remove-Item -Force } } function Invoke-AtomicTestSingle ($AT) { $AT = $AT.ToUpper() $pathToYaml = Join-Path $PathToAtomicsFolder "\$AT\$AT.yaml" if (Test-Path -Path $pathToYaml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml } else { Write-Host -Fore Red "ERROR: $PathToYaml does not exist`nCheck your Atomic Number and your PathToAtomicsFolder parameter" return } $techniqueCount = 0 $numAtomicsApplicableToPlatform = 0 $techniqueString = "" foreach ($technique in $AtomicTechniqueHash) { $techniqueString = $technique.attack_technique[0] $techniqueCount++ $props = @{ Activity = "Running $($technique.display_name.ToString()) Technique" Status = 'Progress:' PercentComplete = ($techniqueCount / ($AtomicTechniqueHash).Count * 100) } Write-Progress @props Write-Debug -Message "Gathering tests for Technique $technique" $testCount = 0 foreach ($test in $technique.atomic_tests) { Write-Verbose -Message 'Determining tests for target platform' $testCount++ if (-not $anyOS) { if ( -not $(Platform-IncludesCloud) -and -Not $test.supported_platforms.Contains($executionPlatform) ) { Write-Verbose -Message "Unable to run non-$executionPlatform tests" continue } if ( $exd1c3f0cf-ced9-4b25-a415-135e73441fbeC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicTest.ps1 410615103150x0708466Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6030dc82-3f3f-4a81-8bdb-f280f4bc004a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708465Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708464Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708463Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Loop through all atomic yaml files to load into list of objects function Loop($fileList, $atomicType) { $AllAtomicTests = New-Object System.Collections.ArrayList $fileList | ForEach-Object { $currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName) if ( $currentTechnique -ne "index" ) { $technique = Get-AtomicTechnique -Path $_.FullName if ($technique) { $technique.atomic_tests | ForEach-Object -Process { $test = New-Object -TypeName psobject $test | Add-Member -MemberType NoteProperty -Name Order -Value $null $test | Add-Member -MemberType NoteProperty -Name Technique -Value ($technique.attack_technique -join "|") $test | Add-Member -MemberType NoteProperty -Name TestName -Value $_.name $test | Add-Member -MemberType NoteProperty -Name auto_generated_guid -Value $_.auto_generated_guid $test | Add-Member -MemberType NoteProperty -Name supported_platforms -Value ($_.supported_platforms -join "|") $test | Add-Member -MemberType NoteProperty -Name TimeoutSeconds -Value 120 $test | Add-Member -MemberType NoteProperty -Name InputArgs -Value "" $test | Add-Member -MemberType NoteProperty -Name AtomicsFolder -Value $atomicType $test | Add-Member -MemberType NoteProperty -Name enabled -Value $false $test | Add-Member -MemberType NoteProperty -Name notes -Value "" # Added dummy variable to grab the index values returned by appending to an arraylist so they don't get written to the screen $dummy = $AllAtomicTests.Add(($test)) } } } } return $AllAtomicTests } function Get-NewSchedule() { if (Test-Path $artConfig.PathToPublicAtomicsFolder) { $publicAtomicFiles = Get-ChildItem $artConfig.PathToPublicAtomicsFolder -Recurse -Exclude Indexes -Filter T*.yaml -File $publicAtomics = Loop $publicAtomicFiles "Public" } else { Write-Host -ForegroundColor Yellow "Public Atomics Folder not Found $($artConfig.PathToPublicAtomicsFolder)" } if (Test-Path $artConfig.PathToPrivateAtomicsFolder) { $privateAtomicFiles = Get-ChildItem $artConfig.PathToPrivateAtomicsFolder -Recurse -Exclude Indexes -Filter T*.yaml -File $privateAtomics = Loop $privateAtomicFiles "Private" } else { Write-Verbose "Private Atomics Folder not Found $($artConfig.PathToPrivateAtomicsFolder)" } $AllAtomicTests = New-Object System.Collections.ArrayList try { $AllAtomicTests.AddRange($publicAtomics) }catch {} try { $AllAtomicTests.AddRange($privateAtomics) }catch {} return $AllAtomicTests } function Get-ScheduleRefresh() { $AllAtomicTests = Get-NewSchedule $schedule = Get-Schedule $null $false # get schedule, including inactive (ie not filtered) # Creating new schedule object for updating changes in atomics $newSchedule = New-Object System.Collections.ArrayList # Check if any tests haven't been added to schedule and add them $update = $false foreach ($guid in $AllAtomicTests | Select-Object -ExpandProperty auto_generated_guid) { $fresh = $AllAtomicTests | Where-Object { $_.auto_generated_guid -eq $guid } $old = $schedule | Where-Object { $_.auto_generated_guid -eq $guid } if (!$old) { $update = $true $newSchedule += $fresh } # Updating schedule with changes else { if ($fresh -is [array]) { $fresh = $fresh[0] LogRunnerMsg "Duplicated auto_generated_guid found $($fresh.auto_generated_guid) with technique $($fresh.Technique). `nCannot Continue Execution. System Exit" Write-Host -ForegroundColor Yellow "Duplicated auto_generated_guid found $($fresh.auto_generated_guid) with technique $($fresh.Technique). `nCannot Continue Execution. System Exit"; Start-Sleep 10 exit } $old.Technique = $fresh.Technique $old.TestName = $fresh.TestName $old.supported_platforms = $fresh.supported_platforms $update = $true $newSchedule += $old } } if ($update) { $newSchedule | Export-Csv $artConfig.scheduleFile LogRunnerMsg "Schedule has been updated with new tests." } return $newSchedule } function Get-Schedule($listOfAtomics, $filtered = $true, $testGuids = $null) { if ($listOfAtomics -or (Test-Path($artConfig.scheduleFile))) { if ($listOfAtomics) { $schedule = Import-Csv $listOfAtomics } else { $schedule = Import-Csv $artConfig.scheduleFile } # Filter schedule to either Active/Supported Platform or TestGuids List if ($TestGuids) { $schedule = $schedule | Where-Object { ($Null -ne $TestGuids -and $TestGuids -contains $_.auto_generated_guid) } } elseif ($filtered) { $schedule = $schedule | Where-Object { ($_.enabled -eq $true -and ($_.supported_platforms -like "*" + $artConfig.OS + "*" )) } } } else { Write-Host -ForegroundColor Yellow "Couldn't find schedule file ($($artConfig.scheduleFile)) Update the path to the schedule file in the config or generate a new one with 'Invoke-GenerateNewSchedule'" } if (($null -eq $schedule) -or ($schedule.length -eq 0)) { Write-Host -ForegroundColor Yellow "No active tests were found. Edit the 'enabled' column of your schedule file and set some to enabled (True)"; return $null } return $schedule } function Invoke-GenerateNewSchedule() { #create AtomicRunner-Logs directories if they don't exist New-Item -ItemType Directory $artConfig.atomicLogsPath -ErrorAction Ignore | Out-Null New-Item -ItemType Directory $artConfig.runnerFolder -ErrorAction Ignore | Out-Null LogRunnerMsg "Generating new schedule: $($artConfig.scheduleFile)" $schedule = Get-NewSchedule $schedule | Export-Csv $artConfig.scheduleFile -NoTypeInformation Write-Host -ForegroundColor Green "Schedule written to $($artConfig.scheduleFile)" } function Invoke-RefreshExistingSchedule() { LogRunnerMsg "Refreshing existing schedule: $($artConfig.scheduleFile)" $schedule = Get-ScheduleRefresh $schedule | Export-Csv $artConfig.scheduleFile -NoTypeInformation Write-Host -ForegroundColor Green "Refreshed schedule written to $($artConfig.scheduleFile)" } fb40bc82-a043-4c8b-aa93-a1bc6712532fC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-RunnerScheduleMethods.ps1 410515102150x0708462Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6030dc82-3f3f-4a81-8bdb-f280f4bc004a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708461Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11. "$PSScriptRoot\Invoke-RunnerScheduleMethods.ps1" function Invoke-AtomicRunner { [CmdletBinding( SupportsShouldProcess = $true, PositionalBinding = $false, ConfirmImpact = 'Medium')] Param( [Parameter(Mandatory = $false)] [switch] $ShowDetails, [Parameter(Mandatory = $false)] [switch] $CheckPrereqs, [Parameter(Mandatory = $false)] [switch] $GetPrereqs, [Parameter(Mandatory = $false)] [switch] $Cleanup, [Parameter(Mandatory = $false)] [switch] $ShowDetailsBrief, [Parameter(Mandatory = $false)] [String] $LoggingModule, [Parameter(Mandatory = $false)] $ListOfAtomics, [parameter(Mandatory = $false)] [ValidateRange(0, [int]::MaxValue)] [int] $PauseBetweenAtomics, [Parameter(Mandatory = $false, ValueFromRemainingArguments = $true)] $OtherArgs ) Begin { } Process { function Get-GuidFromHostName( $basehostname ) { $guid = [System.Net.Dns]::GetHostName() -replace $($basehostname + "-"), "" if (!$guid) { LogRunnerMsg "Hostname has not been updated or could not parse out the Guid: " + $guid return } # Confirm hostname contains a guid [regex]$guidRegex = '(?im)^[{(]?[0-9A-F]{8}[-]?(?:[0-9A-F]{4}[-]?){3}[0-9A-F]{12}[)}]?$' if ($guid -match $guidRegex) { return $guid } else { return "" } } function Invoke-AtomicTestFromScheduleRow ($tr, $Cleanup = $false) { $theArgs = $tr.InputArgs if ($theArgs.GetType().Name -ne "Hashtable") { $tr.InputArgs = ConvertFrom-StringData -StringData $theArgs } $sc = $tr.AtomicsFolder #Run the Test based on if scheduleContext is 'private' or 'public' if (($sc -eq 'public') -or ($null -eq $sc)) { Invoke-AtomicTest $tr.Technique -TestGuids $tr.auto_generated_guid -InputArgs $tr.InputArgs -TimeoutSeconds $tr.TimeoutSeconds -ExecutionLogPath $artConfig.execLogPath -PathToAtomicsFolder $artConfig.PathToPublicAtomicsFolder @htvars -Cleanup:$Cleanup -supressPathToAtomicsFolder } elseif ($sc -eq 'private') { Invoke-AtomicTest $tr.Technique -TestGuids $tr.auto_generated_guid -InputArgs $tr.InputArgs -TimeoutSeconds $tr.TimeoutSeconds -ExecutionLogPath $artConfig.execLogPath -PathToAtomicsFolder $artConfig.PathToPrivateAtomicsFolder @htvars -Cleanup:$Cleanup -supressPathToAtomicsFolder } if ($timeToPause -gt 0) { Write-Host "Sleeping for $timeToPause seconds..." Start-Sleep $timeToPause } elseif ($timeToPause -eq 0) { Write-Host 'Press any key to continue...'; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); } } function Rename-ThisComputer ($tr, $basehostname) { $hash = $tr.auto_generated_guid $newHostName = "$basehostname-$hash" $shouldRename = $true if ( $newHostName -eq [System.Net.Dns]::GetHostName()) { $shouldRename = $false } if ($artConfig.verbose) { LogRunnerMsg "Setting hostname to $newHostName" } If (Test-Path $artConfig.stopFile) { LogRunnerMsg "exiting script because $($artConfig.stopFile) exists" exit } if ($IsLinux) { if ($shouldRename) { Invoke-Expression $("hostnamectl set-hostname $newHostName") } Invoke-Expression $("shutdown -r now") } if ($IsMacOS) { if ($shouldRename) { Invoke-Expression $("/usr/sbin/scutil --set HostName $newHostName") Invoke-Expression $("/usr/sbin/scutil --set ComputerName $newHostName") Invoke-Expression $("/usr/sbin/scutil --set LocalHostName $newHostName") } Invoke-Expression $("/sbin/shutdown -r now") } else { if ($debug) { LogRunnerMsg "Debug: pretending to rename the computer to $newHostName"; exit } if (-not $shouldRename) { Restart-Computer -Force } if ($artConfig.gmsaAccount) { $retry = $true; $count = 0 while ($retry) { # add retry loop to avoid this occassional error "The verification of the MSA failed with error 1355" Invoke-Command -ComputerName '127.0.0.1' -ConfigurationName 'RenameRunnerEndpoint' -ScriptBlock { Rename-Computer -NewName $Using:newHostName -Force -Restart } Start-Sleep 120; $count = $count + 1 LogRunnerMsg "Retrying computer rename $count" if ($count -gt 15) { $retry = $false } } } else { $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $artConfig.user, (Get-Content $artConfig.credFile | ConvertTo-SecureString) try { Rename-Computer -NewName $newHostName -Force -DomainCredential $cred -Restart -ErrorAction stop } catch { if ($artConfig.verbose) { LogRunnerMsg $_ } try { Rename-Computer -NewName $newHostName -Force -LocalCredential $cred -Restart -ErrorAction stop } catch { if ($artConfig.verbose) { LogRunnerMsg $_ } } } } Start-Sleep -seconds 30 LogRunnerMsg "uh oh, still haven't restarted - should never get to here" $retry = $true; $count = 0 while ($retry) { Restart-Computer -Force Start-Sleep 300; $count = $count + 1 LogRunnerMsg "Rename retry $count" if ($count -gt 60) { $retry = $false } } exit } } function Get-TimingVariable ($sched) { $atcount = $sched.Count if ($null -eq $atcount) { $atcount = 1 } $scheduleTimeSpanSeconds = $artConfig.scheduleTimeSpan.TotalSeconds $secondsForAllTestsToComplete = $scheduleTimeSpanSeconds $sleeptime = ($secondsForAllTestsToComplete / $atcount) - 120 - $artConfig.kickOffDelay.TotalSeconds # 1 minute for restart and 1 minute delay for scheduled task and an optional kickoff delay if ($sleeptime -lt 120) { $sleeptime = 120 } # minimum 2 minute sleep time return $sleeptime } # Convert OtherArgs to hashtable so we can pass it through to the call to Invoke-AtomicTest $htvars = @{} if ($OtherArgs) { $OtherArgs | ForEach-Object { if ($_ -match '^-') { #New parameter $lastvar = $_ -replace '^-' $htvars[$lastvar] = $true } else { #Value $htvars[$lastvar] = $_ } } } if ($PSBoundParameters.ContainsKey("PauseBetweenAtomics")) { $timeToPause = $PauseBetweenAtomics } else { $timeToPause = $null } $htvars += [Hashtable]$PSBoundParameters $htvars.Remove('listOfAtomics') | Out-Null $htvars.Remove('OtherArgs') | Out-Null $htvars.Remove('Cleanup') | Out-Null $htvars.Remove('PauseBetweenAtomics') | Out-Null $schedule = Get-Schedule $listOfAtomics # If the schedule is empty, end process if (-not $schedule) { LogRunnerMsg "No test guid's or enabled tests." return } # timing variables $SleepTillCleanup = Get-TimingVariable $schedule # Perform cleanup, Showdetails or Prereq stuff for all scheduled items and then exit if ($Cleanup -or $ShowDetails -or $CheckPrereqs -or $ShowDetailsBrief -or $GetPrereqs -or $listOfAtomics) { $schedule | ForEach-Object { Invoke-AtomicTestFromScheduleRow $_ $Cleanup } return } # exit if file stop.txt is found If (Test-Path $artConfig.stopFile) { LogRunnerMsg "exiting script because $($artConfig.stopFile) does exist" Write-Host -ForegroundColor Yellow "Exiting script because $($artConfig.stopFile) does exist."; Start-Sleep 10; exit } # Find current test to run $guid = Get-GuidFromHostName $artConfig.basehostname if ([string]::IsNullOrWhiteSpace($guid)) { LogRunnerMsg "Test Guid ($guid) was null, using next item in the schedule" } else { if ($artConfig.verbose) { LogRunnerMsg "Found Test: $guid specified in hostname" } $sp = [Collections.Generic.List[Object]]$schedule $currentIndex = $sp.FindIndex( { $args[0].auto_generated_guid -eq $guid }) if (($null -ne $currentIndex) -and ($currentIndex -ne -1)) { $tr = $schedule[$currentIndex] } if ($null -ne $tr) { # run the atomic test and exit Invoke-AtomicTestFromScheduleRow $tr # Cleanup after running test Write-Host -Fore cyan "Sleeping for $SleepTillCleanup seconds before cleaning up for $($tr.Technique) $($tr.auto_generated_guid) "; Start-Sleep -Seconds $SleepTillCleanup Invoke-AtomicTestFromScheduleRow $tr $true } else { LogRunnerMsg "Could not find Test: $guid in schedule. Please update schedule to run this test." } } # Load next scheduled test before renaming computer $nextIndex += $currentIndex + 1 if ($nextIndex -ge ($schedule.count)) { $tr = $schedule[0] } else { $tr = $schedule[$nextIndex] } if ($null -eq $tr) { LogRunnerMsg "Could not determine the next row to execute from the schedule, Starting from 1st row"; $tr = $schedule[0] } #Rename Computer and Restart Rename-ThisComputer $tr $artConfig.basehostname } } 6030dc82-3f3f-4a81-8bdb-f280f4bc004aC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicRunner.ps1 410615103150x0708460Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala15fd9e1-a07a-4061-a107-0f4bd41b336d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708459Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala15fd9e1-a07a-4061-a107-0f4bd41b336d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708458Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-PreferredIPAddress($isWindows) { if ($isWindows) { return (Get-NetIPAddress | Where-Object { $_.PrefixOrigin -ne "WellKnown" }).IPAddress } elseif ($IsMacOS) { return ifconfig -l | xargs -n1 ipconfig getifaddr } elseif ($IsLinux) { return ip -4 -br addr show | sed -n -e 's/^.*UP\s* //p' | cut -d "/" -f 1 } else { return '' } } a15fd9e1-a07a-4061-a107-0f4bd41b336dC:\AtomicRedTeam\invoke-atomicredteam\Public\Get-PreferredIPAddress.ps1 410615103150x0708457Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8aa15ef8-8041-48ae-b1ee-b542036e97602b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708456Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8aa15ef8-8041-48ae-b1ee-b542036e97602b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708455Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local22 return } $ExecutorInstance = [AtomicExecutorDefault]::new() $ExecutorInstance.command = $AtomicTest['executor']['command'] $StringsWithPotentialInputArgs.Add($AtomicTest['executor']['command']) } # cleanup_command element is optional if ($AtomicTest['executor'].ContainsKey('cleanup_command')) { $ExecutorInstance.cleanup_command = $AtomicTest['executor']['cleanup_command'] $StringsWithPotentialInputArgs.Add($AtomicTest['executor']['cleanup_command']) } # elevation_required element is optional if ($AtomicTest['executor'].ContainsKey('elevation_required')) { if (-not ($AtomicTest['executor']['elevation_required'] -is [Bool])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.elevation_required' element must be a boolean." return } $ExecutorInstance.elevation_required = $AtomicTest['executor']['elevation_required'] } else { # if elevation_required is not present, default to false $ExecutorInstance.elevation_required = $False } $InputArgumentNames = $null # Get all input argument names $InputArgumentNames = $InputArguments.Keys # Extract all input arguments names from the executor # Potential places where input arguments can be populated: # - Dependency description # - Dependency prereq_command # - Dependency get_prereq_command # - Executor steps # - Executor command # - Executor cleanup_command $Regex = [Regex] '#\{(?<ArgName>[^}]+)\}' [String[]] $InputArgumentNamesFromExecutor = $StringsWithPotentialInputArgs | ForEach-Object { $Regex.Matches($_) } | Select-Object -ExpandProperty Groups | Where-Object { $_.Name -eq 'ArgName' } | Select-Object -ExpandProperty Value | Sort-Object -Unique # Validate that all executor input arg names are defined input arg names. if ($InputArgumentNamesFromExecutor.Count) { $InputArgumentNamesFromExecutor | ForEach-Object { if ($InputArgumentNames -notcontains $_) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] The following input argument was specified but is not defined: '$_'" return } } } # Validate that all defined input args are utilized at least once in the executor. if ($InputArgumentNames.Count) { $InputArgumentNames | ForEach-Object { if ($InputArgumentNamesFromExecutor -notcontains $_) { # Write a warning since this scenario is not considered a breaking change Write-Warning "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] The following input argument is defined but not utilized: '$_'." } } } $ExecutorInstance.name = $AtomicTest['executor']['name'] $AtomicTestInstance.executor = $ExecutorInstance $AtomicTests[$i] = $AtomicTestInstance } $AtomicInstance.atomic_tests = $AtomicTests $AtomicInstance } } # Tab completion for Atomic Tests function Get-TechniqueNumbers { $PathToAtomicsFolder = if ($IsLinux -or $IsMacOS) { $Env:HOME + "/AtomicRedTeam/atomics" } else { $env:HOMEDRIVE + "\AtomicRedTeam\atomics" } $techniqueNumbers = Get-ChildItem $PathToAtomicsFolder -Directory | ForEach-Object { $_.BaseName } return $techniqueNumbers } Register-ArgumentCompleter -CommandName 'Invoke-AtomicTest' -ParameterName 'AtomicTechnique' -ScriptBlock { param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameter) Get-TechniqueNumbers | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object { New-Object System.Management.Automation.CompletionResult $_, $_, 'ParameterValue', "Technique number $_" } } 8aa15ef8-8041-48ae-b1ee-b542036e9760C:\AtomicRedTeam\invoke-atomicredteam\Public\Get-AtomicTechnique.ps1 4104152150x0708454Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local12filter Get-AtomicTechnique { <# .SYNOPSIS Retrieve and validate an atomic technique. .DESCRIPTION Get-AtomicTechnique retrieves and validates one or more atomic techniques. Get-AtomicTechnique supports retrieval from YAML files or from a raw YAML string. This function facilitates the following use cases: 1) Validation prior to execution of atomic tests. 2) Writing code to reason over one or more atomic techniques/tests. 3) Representing atomic techniques/tests in a format that is more conducive to PowerShell. ConvertFrom-Yaml returns a large, complicated hashtable that is difficult to work with and reason over. Get-AtomicTechnique helps abstract those challenges away. 4) Representing atomic techniques/tests in a format that can be piped directly to ConvertTo-Yaml. .PARAMETER Path Specifies the path to an atomic technique YAML file. Get-AtomicTechnique expects that the file extension be .yaml or .yml and that it is well-formed YAML content. .PARAMETER Yaml Specifies a single string consisting of raw atomic technique YAML. .EXAMPLE Get-ChildItem -Path C:\atomic-red-team\atomics\* -Recurse -Include 'T*.yaml' | Get-AtomicTechnique .EXAMPLE Get-Item C:\atomic-red-team\atomics\T1117\T1117.yaml | Get-AtomicTechnique .EXAMPLE Get-AtomicTechnique -Path C:\atomic-red-team\atomics\T1117\T1117.yaml .EXAMPLE $Yaml = @' --- attack_technique: T1152 display_name: Launchctl atomic_tests: - name: Launchctl description: | Utilize launchctl supported_platforms: - macos executor: name: sh command: | launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator '@ Get-AtomicTechnique -Yaml $Yaml .INPUTS System.IO.FileInfo The output of Get-Item and Get-ChildItem can be piped directly into Get-AtomicTechnique. .OUTPUTS AtomicTechnique Outputs an object representing a parsed and validated atomic technique. #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] [OutputType([AtomicTechnique])] param ( [Parameter(Mandatory, ValueFromPipelineByPropertyName, ParameterSetName = 'FilePath')] [String] [Alias('FullName')] [ValidateScript({ Test-Path -Path $_ -Include '*.yaml', '*.yml' })] $Path, [Parameter(Mandatory, ParameterSetName = 'Yaml')] [String] [ValidateNotNullOrEmpty()] $Yaml ) switch ($PSCmdlet.ParameterSetName) { 'FilePath' { $ResolvedPath = Resolve-Path -Path $Path $YamlContent = Get-Content -Path $ResolvedPath -Raw $ErrorStringPrefix = "[$($ResolvedPath)]" } 'Yaml' { $YamlContent = $Yaml $ErrorStringPrefix = '' } } $ParsedYaml = $null $ValidSupportedPlatforms = @('windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp') $ValidInputArgTypes = @('Path', 'Url', 'String', 'Integer', 'Float') $ValidExecutorTypes = @('command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl') # ConvertFrom-Yaml will throw a .NET exception rather than a PowerShell error. # Capture the exception and convert to PowerShell error so that the user can decide # how to handle the error. try { [Hashtable] $ParsedYaml = ConvertFrom-Yaml -Yaml $YamlContent } catch { Write-Error $_ } if ($ParsedYaml) { # The document was well-formed YAML. Now, validate against the atomic red schema $AtomicInstance = [AtomicTechnique]::new() if (-not $ParsedYaml.Count) { Write-Error "$ErrorStringPrefix YAML file has no elements." return } if (-not $ParsedYaml.ContainsKey('attack_technique')) { Write-Error "$ErrorStringPrefix 'attack_technique' element is required." return } $AttackTechnique = $null if ($ParsedYaml['attack_technique'].Count -gt 1) { # An array of attack techniques are supported. foreach ($Technique in $ParsedYaml['attack_technique']) { if ("$Technique" -notmatch '^(?-i:T\d{4}(\.\d{3}){0,1})$') { Write-Warning "$ErrorStringPrefix Attack technique: $Technique. Each attack technique should start with the letter 'T' followed by a four digit number." } [String[]] $AttackTechnique = $ParsedYaml['attack_technique'] } } else { if ((-not "$($ParsedYaml['attack_technique'])".StartsWith('T'))) { # If the attack technique is a single entry, validate that it starts with the letter T. Write-Warning "$ErrorStringPrefix Attack technique: $($ParsedYaml['attack_technique']). Attack techniques should start with the letter T." } [String] $AttackTechnique = $ParsedYaml['attack_technique'] } $AtomicInstance.attack_technique = $AttackTechnique if (-not $ParsedYaml.ContainsKey('display_name')) { Write-Error "$ErrorStringPrefix 'display_name' element is required." return } if (-not ($ParsedYaml['display_name'] -is [String])) { Write-Error "$ErrorStringPrefix 'display_name' must be a string." return } $AtomicInstance.display_name = $ParsedYaml['display_name'] if (-not $ParsedYaml.ContainsKey('atomic_tests')) { Write-Error "$ErrorStringPrefix 'atomic_tests' element is required." return } if (-not ($ParsedYaml['atomic_tests'] -is [System.Collections.Generic.List`1[Object]])) { Write-Error "$ErrorStringPrefix 'atomic_tests' element must be an array." return } $AtomicTests = [AtomicTest[]]::new($ParsedYaml['atomic_tests'].Count) if (-not $ParsedYaml['atomic_tests'].Count) { Write-Error "$ErrorStringPrefix 'atomic_tests' element is empty - you have no tests." return } for ($i = 0; $i -lt $ParsedYaml['atomic_tests'].Count; $i++) { $AtomicTest = $ParsedYaml['atomic_tests'][$i] $AtomicTestInstance = [AtomicTest]::new() $StringsWithPotentialInputArgs = New-Object -TypeName 'System.Collections.Generic.List`1[String]' if (-not $AtomicTest.ContainsKey('name')) { Write-Error "$ErrorStringPrefix 'atomic_tests[$i].name' element is required." return } if (-not ($AtomicTest['name'] -is [String])) { Write-Error "$ErrorStringPrefix 'atomic_tests[$i].name' element must be a string." return } $AtomicTestInstance.name = $AtomicTest['name'] $AtomicTestInstance.auto_generated_guid = $AtomicTest['auto_generated_guid'] if (-not $AtomicTest.ContainsKey('description')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description' element is required." return } if (-not ($AtomicTest['description'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description' element must be a string." return } $AtomicTestInstance.description = $AtomicTest['description'] if (-not $AtomicTest.ContainsKey('supported_platforms')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].supported_platforms' element is required." return } if (-not ($AtomicTest['supported_platforms'] -is [System.Collections.Generic.List`1[Object]])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].supported_platforms' element must be an array." return } foreach ($SupportedPlatform in $AtomicTest['supported_platforms']) { if ($ValidSupportedPlatforms -cnotcontains $SupportedPlatform) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].supported_platforms': '$SupportedPlatform' must be one of the following: $($ValidSupportedPlatforms -join ', ')." return } } $AtomicTestInstance.supported_platforms = $AtomicTest['supported_platforms'] $Dependencies = $null if ($AtomicTest['dependencies'].Count) { $Dependencies = [AtomicDependency[]]::new($AtomicTest['dependencies'].Count) $j = 0 # dependencies are optional and there can be multiple foreach ($Dependency in $AtomicTest['dependencies']) { $DependencyInstance = [AtomicDependency]::new() if (-not $Dependency.ContainsKey('description')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].description' element is required." return } if (-not ($Dependency['description'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].description' element must be a string." return } $DependencyInstance.description = $Dependency['description'] $StringsWithPotentialInputArgs.Add($Dependency['description']) if (-not $Dependency.ContainsKey('prereq_command')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].prereq_command' element is required." return } if (-not ($Dependency['prereq_command'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].prereq_command' element must be a string." return } $DependencyInstance.prereq_command = $Dependency['prereq_command'] $StringsWithPotentialInputArgs.Add($Dependency['prereq_command']) if (-not $Dependency.ContainsKey('get_prereq_command')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].get_prereq_command' element is required." return } if (-not ($Dependency['get_prereq_command'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].get_prereq_command' element must be a string." return } $DependencyInstance.get_prereq_command = $Dependency['get_prereq_command'] $StringsWithPotentialInputArgs.Add($Dependency['get_prereq_command']) $Dependencies[$j] = $DependencyInstance $j++ } $AtomicTestInstance.dependencies = $Dependencies } if ($AtomicTest.ContainsKey('dependency_executor_name')) { if ($ValidExecutorTypes -notcontains $AtomicTest['dependency_executor_name']) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependency_executor_name': '$($AtomicTest['dependency_executor_name'])' must be one of the following: $($ValidExecutorTypes -join ', ')." return } if ($null -eq $AtomicTestInstance.Dependencies) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] If 'atomic_tests[$i].dependency_executor_name' is defined, there must be at least one dependency defined." } $AtomicTestInstance.dependency_executor_name = $AtomicTest['dependency_executor_name'] } $InputArguments = $null # input_arguments is optional if ($AtomicTest.ContainsKey('input_arguments')) { if (-not ($AtomicTest['input_arguments'] -is [Hashtable])) { $AtomicTest['input_arguments'].GetType().FullName Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments' must be a hashtable." return } if (-not ($AtomicTest['input_arguments'].Count)) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments' must have at least one entry." return } $InputArguments = @{} $j = 0 foreach ($InputArgName in $AtomicTest['input_arguments'].Keys) { $InputArgument = [AtomicInputArgument]::new() if (-not $AtomicTest['input_arguments'][$InputArgName].ContainsKey('description')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].description' element is required." return } if (-not ($AtomicTest['input_arguments'][$InputArgName]['description'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].description' element must be a string." return } $InputArgument.description = $AtomicTest['input_arguments'][$InputArgName]['description'] if (-not $AtomicTest['input_arguments'][$InputArgName].ContainsKey('type')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].type' element is required." return } if ($ValidInputArgTypes -notcontains $AtomicTest['input_arguments'][$InputArgName]['type']) { Write-Warning "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].type': '$($AtomicTest['input_arguments'][$InputArgName]['type'])' should be one of the following: $($ValidInputArgTypes -join ', ')" } $InputArgument.type = $AtomicTest['input_arguments'][$InputArgName]['type'] if (-not $AtomicTest['input_arguments'][$InputArgName].ContainsKey('default')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].default' element is required." return } $InputArgument.default = $AtomicTest['input_arguments'][$InputArgName]['default'] $InputArguments[$InputArgName] = $InputArgument $j++ } } $AtomicTestInstance.input_arguments = $InputArguments if (-not $AtomicTest.ContainsKey('executor')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor' element is required." return } if (-not ($AtomicTest['executor'] -is [Hashtable])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor' element must be a hashtable." return } if (-not $AtomicTest['executor'].ContainsKey('name')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.name' element is required." return } if (-not ($AtomicTest['executor']['name'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description.name' element must be a string." return } if ($AtomicTest['executor']['name'] -notmatch '^(?-i:[a-z_]+)$') { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description.name' element must be lowercased and underscored." return } if ($ValidExecutorTypes -notcontains $AtomicTest['executor']['name']) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description.name': '$($AtomicTest['executor']['name'])' must be one of the following: $($ValidExecutorTypes -join ', ')" return } if ($AtomicTest['executor']['name'] -eq 'manual') { if (-not $AtomicTest['executor'].ContainsKey('steps')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.steps' element is required when the 'manual' executor is used." return } if (-not ($AtomicTest['executor']['steps'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.steps' element must be a string." return } $ExecutorInstance = [AtomicExecutorManual]::new() $ExecutorInstance.steps = $AtomicTest['executor']['steps'] $StringsWithPotentialInputArgs.Add($AtomicTest['executor']['steps']) } else { if (-not $AtomicTest['executor'].ContainsKey('command')) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.command' element is required when the '$($ValidExecutorTypes -join ', ')' executors are used." return } if (-not ($AtomicTest['executor']['command'] -is [String])) { Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.command' element must be a string." 8aa15ef8-8041-48ae-b1ee-b542036e9760C:\AtomicRedTeam\invoke-atomicredteam\Public\Get-AtomicTechnique.ps1 410615103150x0708453Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708452Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708451Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708450Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708449Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local3064d909-08ec-4728-a9aa-6617b06699762b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708448Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11#requires -Version 5.0 # execute amsi bypass if configured to use one if([bool]$artConfig.absb -and ($artConfig.OS -eq "windows")){ $artConfig.absb.Invoke() } #Get public and private function definition files. $Public = @( Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -Recurse -ErrorAction SilentlyContinue ) $Private = @( Get-ChildItem -Path $PSScriptRoot\Private\*.ps1 -Recurse -Exclude "AtomicClassSchema.ps1" -ErrorAction SilentlyContinue ) # Make sure the Atomic Class Schema is available first (a workaround so PSv5.0 doesn't give errors) . "$PSScriptRoot\Private\AtomicClassSchema.ps1" #Dot source the files Foreach ($import in @($Public + $Private)) { Try { . $import.fullname } Catch { Write-Error -Message "Failed to import function $($import.fullname): $_" } } 3064d909-08ec-4728-a9aa-6617b0669976C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1 410615103150x0708447Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local66ebeb04-ccc6-4b1c-b53d-12c8db52d46d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708446Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local66ebeb04-ccc6-4b1c-b53d-12c8db52d46d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708445Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) { if ($isWindows -and -not [System.Diagnostics.EventLog]::Exists('Atomic Red Team')) { New-EventLog -Source "Applications and Services Logs" -LogName "Atomic Red Team" } } function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) { $timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString() $timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString() $ipAddress = Get-PreferredIPAddress $isWindows $msg = [PSCustomObject][ordered]@{ "Execution Time (UTC)" = $timeUTC "Execution Time (Local)" = $timeLocal "Technique" = $technique "Test Number" = $testNum "Test Name" = $testName "Hostname" = $targetHostname "IP Address" = $ipAddress "Username" = $targetUser "GUID" = $testGuid "Tag" = "atomicrunner" "CustomTag" = $artConfig.CustomTag "ProcessId" = $res.ProcessId "ExitCode" = $res.ExitCode } Write-EventLog -Source "Applications and Services Logs" -LogName "Atomic Red Team" -EventID 3001 -EntryType Information -Message $msg -Category 1 -RawData 10, 20 } function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) { } 66ebeb04-ccc6-4b1c-b53d-12c8db52d46dC:\AtomicRedTeam\invoke-atomicredteam\Public\WinEvent-ExecutionLogger.psm1 410615103150x0708444Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local016504b4-0d0c-455a-a9e9-275315b53e042b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708443Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local016504b4-0d0c-455a-a9e9-275315b53e042b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708442Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) { } function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) { $timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString() $timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString() $ipAddress = Get-PreferredIPAddress $isWindows $msg = [PSCustomObject][ordered]@{ "Execution Time (UTC)" = $timeUTC "Execution Time (Local)" = $timeLocal "Technique" = $technique "Test Number" = $testNum "Test Name" = $testName "Hostname" = $targetHostname "IP Address" = $ipAddress "Username" = $targetUser "GUID" = $testGuid "Tag" = "atomicrunner" "CustomTag" = $artConfig.CustomTag "ProcessId" = $res.ProcessId "ExitCode" = $res.ExitCode } # send syslog message if a syslog server is defined in Public/config.ps1 if ([bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort) { $jsonMsg = $msg | ConvertTo-Json -Compress Send-SyslogMessage -Server $artConfig.syslogServer -Port $artConfig.syslogPort -Message $jsonMsg -Severity "Informational" -Facility "daemon" -Transport $artConfig.syslogProtocol } } function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) { } 016504b4-0d0c-455a-a9e9-275315b53e04C:\AtomicRedTeam\invoke-atomicredteam\Public\Syslog-ExecutionLogger.psm1 410615103150x0708441Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6114c374-6731-41e2-a4fc-e9b38f2053b22b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708440Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6114c374-6731-41e2-a4fc-e9b38f2053b22b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708439Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Attire-ExecutionLogger.psm1 # Copyright 2023 Security Risk Advisors # Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), # to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, # and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: # The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. # THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. $script:attireLog = [PSCustomObject]@{ 'attire-version' = '1.1' 'execution-data' = '' 'procedures' = @() } function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) { $ipAddress = Get-PreferredIPAddress $isWindows if ($targetUser -isnot [string]) { if ([bool]($targetUser.PSobject.Properties.name -match "^value$")) { $targetUser = $targetUser.value } else { $targetUser = $targetUser.ToString() } } if ($targetHostname -isnot [string]) { if ([bool]($targetHostname.PSobject.Properties.name -match "^value$")) { $targetHostname = $targetHostname.value } else { $targetHostname = $targetHostname.ToString() } } $target = [PSCustomObject]@{ user = $targetUser host = $targetHostname ip = $ipAddress path = $Env:PATH } $guid = New-Guid $bytes = [System.Text.Encoding]::UTF8.GetBytes($guid.Guid) $executionId = [Convert]::ToBase64String($bytes) $executionCategory = [PSCustomObject]@{ 'name' = "Atomic Red Team" 'abbreviation' = "ART" } $executionData = [PSCustomObject]@{ 'execution-source' = "Invoke-Atomicredteam" 'execution-id' = $executionId 'execution-category' = $executionCategory 'execution-command' = $commandLine target = $target 'time-generated' = "" } $script:attireLog.'execution-data' = $executionData } function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) { $startTime = (Get-Date($startTime).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z').ToString() $stopTime = (Get-Date($stopTime).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z').ToString() $procedureId = [PSCustomObject]@{ type = "guid" id = $testGuid } $step = [PSCustomObject]@{ 'order' = 1 'time-start' = $startTime 'time-stop' = $stopTime 'executor' = $testExecutor 'command' = $command 'output' = @() } $stdOutContents = $res.StandardOutput if (($stdOutContents -isnot [string]) -and ($null -ne $stdOutContents)) { $stdOutContents = $stdOutContents.ToString() } $outputStdConsole = [PSCustomObject]@{ content = $stdOutContents level = "STDOUT" type = "console" } $stdErrContents = $res.ErrorOutput if (($stdErrContents -isnot [string]) -and ($null -ne $stdErrContents)) { $stdErrContents = $stdErrContents.ToString() } $outputErrConsole = [PSCustomObject]@{ content = $stdErrContents level = "STDERR" type = "console" } [bool] $foundOutput = $false if ($res.StandardOutput.length -gt 0) { $foundOutput = $true $step.output += $outputStdConsole } if ($res.ErrorOutput.length -gt 0) { $foundOutput = $true $step.output += $outputErrConsole } if (!$foundOutput) { $emptyOutput = [PSCustomObject]@{ content = "" level = "STDOUT" type = "console" } $step.output += $emptyOutput } $procedure = [PSCustomObject]@{ 'mitre-technique-id' = $technique 'procedure-name' = $testName 'procedure-id' = $procedureId 'procedure-description' = $testDescription order = $testNum steps = @() } $procedure.steps += $step $script:attireLog.procedures += $procedure } function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) { $script:attireLog.'execution-data'.'time-generated' = (Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z') #$script:attireLog | Export-Csv -Path "attireLogObject.csv" $content = ($script:attireLog | ConvertTo-Json -Depth 12) #$Utf8NoBom = New-Object System.Text.UTF8Encoding $False [System.IO.File]::WriteAllLines((Resolve-NonexistantPath($logPath)), $content) #Out-File -FilePath $logPath -InputObject ($script:attireLog | ConvertTo-Json -Depth 12) -Append -Encoding ASCII $script:attireLog = [PSCustomObject]@{ 'attire-version' = '1.1' 'execution-data' = '' procedures = @() } } function Resolve-NonexistantPath($File) { $Path = Resolve-Path $File -ErrorAction SilentlyContinue -ErrorVariable error if (-not($Path)) { $Path = $error[0].TargetObject } return $Path } 6114c374-6731-41e2-a4fc-e9b38f2053b2C:\AtomicRedTeam\invoke-atomicredteam\Public\Attire-ExecutionLogger.psm1 410615103150x0708438Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local85871253-d20c-43d2-b56d-5aa46fe3d83c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708437Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local85871253-d20c-43d2-b56d-5aa46fe3d83c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708436Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) { } function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) { if (!(Test-Path $logPath)) { New-Item $logPath -Force -ItemType File | Out-Null } $ipAddress = Get-PreferredIPAddress $isWindows $timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString() $timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString() $msg = [PSCustomObject][ordered]@{ "Execution Time (UTC)" = $timeUTC "Execution Time (Local)" = $timeLocal "Technique" = $technique "Test Number" = $testNum "Test Name" = $testName "Hostname" = $targetHostname "IP Address" = $ipAddress "Username" = $targetUser "GUID" = $testGuid "ProcessId" = $res.ProcessId "ExitCode" = $res.ExitCode } $msg | Export-Csv -Path $LogPath -NoTypeInformation -Append } function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) { } 85871253-d20c-43d2-b56d-5aa46fe3d83cC:\AtomicRedTeam\invoke-atomicredteam\Public\Default-ExecutionLogger.psm1 410615103150x0708435Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708434Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708433Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11 $artConfig = [PSCustomObject]@{ # [optional] These two configs are calculated programatically, you probably don't need to change them basehostname = $((hostname | Select-String -Pattern "(.*?)(-[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})?$").Matches.Groups[1].value) OS = $( if ($IsLinux) { "linux" } elseif ($IsMacOS) { "macos" } else { "windows" }) # [optional(if using default install paths)] Paths to your Atomic Red Team "atomics" folder and your "invoke-atomicredteam" folder PathToInvokeFolder = Join-Path $( if ($IsLinux -or $IsMacOS) { "~" } else { "C:" }) "/AtomicRedTeam/invoke-atomicredteam" # this is the default install path so you probably don't need to change this PathToPublicAtomicsFolder = Join-Path $( if ($IsLinux -or $IsMacOS) { "~" } else { "C:" }) "AtomicRedTeam/atomics" # this is the default install path so you probably don't need to change this PathToPrivateAtomicsFolder = Join-Path $( if ($IsLinux -or $IsMacOS) { "~" } else { "C:" }) "PrivateAtomics/atomics" # if you aren't providing your own private atomics that are custom written by you, just leave this as is # [ Optional ] The user that will be running each atomic test user = $( if ($IsLinux -or $IsMacOS) { $env:USER } else { "$env:USERDOMAIN\$env:USERNAME" }) # example "corp\atomicrunner" # [optional] the path where you want the folder created that houses the logs and the runner schedule. Defaults to users home directory basePath = $( if (!$IsLinux -and !$IsMacOS) { $env:USERPROFILE } else { $env:HOME }) # example "C:\Users\atomicrunner" # [optional] scheduleTimeSpan = New-TimeSpan -Days 7 # the time in which all tests on the schedule should complete kickOffDelay = New-TimeSpan -Minutes 0 # an additional delay before Invoke-KickoffAtomicRunner calls Invoke-AtomicRunner scheduleFileName = "AtomicRunnerSchedule.csv" # [optional] If you need to use a group managed service account in order to rename the computer, enter it here gmsaAccount = $null # [optional] Logging Module, uses Syslog-ExecutionLogger if left blank and the syslogServer and syslogPort are set, otherwise it uses the Default-ExecutionLogger LoggingModule = '' # [optional] Syslog configuration, default execution logs will be sent to this server:port syslogServer = '' # set to empty string '' if you don't want to log atomic execution details to a syslog server (don't includle http(s):\\) syslogPort = 514 syslogProtocol = 'UDP' # options are UDP, TCP, TCPwithTLS verbose = $true; # set to true for more log output # [optional] logfile filename configs logFolder = "AtomicRunner-Logs" timeLocal = (Get-Date(get-date) -uformat "%Y-%m-%d").ToString() # amsi bypass script block (applies to Windows only) absb = $null } # If you create a file called privateConfig.ps1 in the same directory as you installed Invoke-AtomicRedTeam you can overwrite any of these settings with your custom values $root = Split-Path (Split-Path $PSScriptRoot -Parent) -Parent $pathToPrivateConfig = Join-Path $root "privateConfig.ps1" if (Test-Path ($pathToPrivateConfig)) { if ($IsLinux -or $IsMacOS) { chmod +x $pathToPrivateConfig } & ($pathToPrivateConfig) } ##################################################################################### # All of the configs below are calculated using the script block in the "Value" field. # This way, when you change the 'basePath' everything else is updated. # You should probably leave all of the stuff below alone. ##################################################################################### $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "runnerFolder" Value = { Join-Path $artConfig.basePath "AtomicRunner" } } Add-Member @scriptParam $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "atomicLogsPath" Value = { Join-Path $artConfig.basePath $artConfig.logFolder } } Add-Member @scriptParam $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "scheduleFile" Value = { Join-Path $artConfig.runnerFolder $artConfig.scheduleFileName } } Add-Member @scriptParam $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "credFile" Value = { Join-Path $artConfig.runnerFolder "psc_$($artConfig.basehostname).txt" } } Add-Member @scriptParam $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "execLogPath" Value = { Join-Path $artConfig.atomicLogsPath "$($artConfig.timeLocal)`_$($artConfig.basehostname)-ExecLog.csv" } } Add-Member @scriptParam $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "stopFile" Value = { Join-Path $artConfig.runnerFolder "stop.txt" } } Add-Member @scriptParam $scriptParam = @{ MemberType = "ScriptProperty" InputObject = $artConfig Name = "logFile" Value = { Join-Path $artConfig.atomicLogsPath "log-$($artConfig.basehostname).txt" } } Add-Member @scriptParam 13a76087-a21b-4698-bf96-a8ddc5a8d4d5C:\AtomicRedTeam\invoke-atomicredteam\Public\config.ps1 410615103150x0708432Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708431Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708430Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11class AtomicDependency { [String] $description [String] $prereq_command [String] $get_prereq_command } class AtomicInputArgument { [String] $description [String] $type [String] $default } class AtomicExecutorBase { [String] $name [Bool] $elevation_required # Implemented to facilitate improved PS object display [String] ToString() { return $this.Name } } class AtomicExecutorDefault : AtomicExecutorBase { [String] $command [String] $cleanup_command } class AtomicExecutorManual : AtomicExecutorBase { [String] $steps [String] $cleanup_command } class AtomicTest { [String] $name [String] $auto_generated_guid [String] $description [String[]] $supported_platforms # I wish this didn't have to be a hashtable but I don't # want to change the schema and introduce a breaking change. [Hashtable] $input_arguments [String] $dependency_executor_name [AtomicDependency[]] $dependencies [AtomicExecutorBase] $executor # Implemented to facilitate improved PS object display [String] ToString() { return $this.name } } class AtomicTechnique { [String[]] $attack_technique [String] $display_name [AtomicTest[]] $atomic_tests } 57293e21-c8d3-413e-8ca5-bcc9422de5deC:\AtomicRedTeam\invoke-atomicredteam\Private\AtomicClassSchema.ps1 410615103150x0708429Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb4ecc18a-3f58-457d-9476-f738efb6af422b535b4c-a403-4565-9d75-b1fc8c18a9ac 410314106200x0708428Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.5328 Host ID = 399c885b-5299-4104-9115-f2730c038a52 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Engine Version = 5.1.17763.5328 Runspace ID = 2b535b4c-a403-4565-9d75-b1fc8c18a9ac Pipeline ID = 4 Command Name = Add-Type Command Type = Cmdlet Script Name = C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psm1 Command Path = Sequence Number = 16 User = ATTACKRANGE\Administrator Connected User = Shell ID = Microsoft.PowerShell CommandInvocation(Add-Type): "Add-Type" ParameterBinding(Add-Type): name="TypeDefinition"; value="using System; using System.Text.RegularExpressions; using YamlDotNet; using YamlDotNet.Core; using YamlDotNet.Serialization; using YamlDotNet.Serialization.EventEmitters; public class StringQuotingEmitter: ChainedEventEmitter { // Patterns from https://yaml.org/spec/1.2/spec.html#id2804356 private static Regex quotedRegex = new Regex(@"^(\~|null|true|false|on|off|yes|no|y|n|[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?|[-+]?(\.inf))?$", RegexOptions.Compiled | RegexOptions.IgnoreCase); public StringQuotingEmitter(IEventEmitter next): base(next) {} public override void Emit(ScalarEventInfo eventInfo, IEmitter emitter) { var typeCode = eventInfo.Source.Value != null ? Type.GetTypeCode(eventInfo.Source.Type) : TypeCode.Empty; switch (typeCode) { case TypeCode.Char: if (Char.IsDigit((char)eventInfo.Source.Value)) { eventInfo.Style = ScalarStyle.DoubleQuoted; } break; case TypeCode.String: var val = eventInfo.Source.Value.ToString(); if (quotedRegex.IsMatch(val)) { eventInfo.Style = ScalarStyle.DoubleQuoted; } else if (val.IndexOf('\n') > -1) { eventInfo.Style = ScalarStyle.Literal; } break; } base.Emit(eventInfo, emitter); } public static SerializerBuilder Add(SerializerBuilder builder) { return builder.WithEventEmitter(next => new StringQuotingEmitter(next)); } }" ParameterBinding(Add-Type): name="ReferencedAssemblies"; value="C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\lib\net45\YamlDotNet.dll, C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll" ParameterBinding(Add-Type): name="Language"; value="CSharp" 410615103150x0708427Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local150366b0-e0b6-40dc-b951-f119ead5ef152b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708426Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local150366b0-e0b6-40dc-b951-f119ead5ef152b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708425Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc41933e3-59a3-47e6-ac40-59ab94dec44a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708424Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc41933e3-59a3-47e6-ac40-59ab94dec44a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708423Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708422Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708421Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708420Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708419Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb4ecc18a-3f58-457d-9476-f738efb6af422b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708418Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # enum SerializationOptions { None = 0 Roundtrip = 1 DisableAliases = 2 EmitDefaults = 4 JsonCompatible = 8 DefaultToStaticType = 16 WithIndentedSequences = 32 } $here = Split-Path -Parent $MyInvocation.MyCommand.Path $assemblies = Join-Path $here "Load-Assemblies.ps1" $infinityRegex = [regex]::new('^[-+]?(\.inf|\.Inf|\.INF)$', "Compiled, CultureInvariant"); if (Test-Path $assemblies) { . $here\Load-Assemblies.ps1 } function Get-YamlDocuments { [CmdletBinding()] Param( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [string]$Yaml, [switch]$UseMergingParser=$false ) PROCESS { $stringReader = new-object System.IO.StringReader($Yaml) $parser = New-Object "YamlDotNet.Core.Parser" $stringReader if($UseMergingParser) { $parser = New-Object "YamlDotNet.Core.MergingParser" $parser } $yamlStream = New-Object "YamlDotNet.RepresentationModel.YamlStream" $yamlStream.Load([YamlDotNet.Core.IParser] $parser) $stringReader.Close() return $yamlStream } } function Convert-ValueToProperType { [CmdletBinding()] Param( [Parameter(Mandatory=$true,ValueFromPipeline=$true)] [System.Object]$Node ) PROCESS { if (!($Node.Value -is [string])) { return $Node } if ([string]::IsNullOrEmpty($Node.Tag) -eq $false) { switch($Node.Tag) { "tag:yaml.org,2002:str" { return $Node.Value } "tag:yaml.org,2002:null" { return $null } "tag:yaml.org,2002:bool" { $parsedValue = $false if (![boolean]::TryParse($Node.Value, [ref]$parsedValue)) { Throw ("failed to parse scalar {0} as boolean" -f $Node) } return $parsedValue } "tag:yaml.org,2002:int" { $parsedValue = 0 if ($node.Value.Length -gt 2) { switch ($node.Value.Substring(0, 2)) { "0o" { $parsedValue = [Convert]::ToInt64($Node.Value.Substring(2), 8) } "0x" { $parsedValue = [Convert]::ToInt64($Node.Value.Substring(2), 16) } default { if (![long]::TryParse($Node.Value, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)) { Throw ("failed to parse scalar {0} as long" -f $Node) } } } } else { if (![long]::TryParse($Node.Value, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)) { Throw ("failed to parse scalar {0} as long" -f $Node) } } return $parsedValue } "tag:yaml.org,2002:float" { $parsedValue = 0.0 if ($infinityRegex.Matches($Node.Value)) { $prefix = $Node.Value.Substring(0, 1) switch ($prefix) { "-" { return [double]::NegativeInfinity } default { # Prefix is either missing or is a + return [double]::PositiveInfinity } } } if (![double]::TryParse($Node.Value, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)) { Throw ("failed to parse scalar {0} as double" -f $Node) } return $parsedValue } "tag:yaml.org,2002:timestamp" { # From the YAML spec: http://yaml.org/type/timestamp.html [DateTime]$parsedValue = [DateTime]::MinValue $ts = [DateTime]::SpecifyKind($Node.Value, [System.DateTimeKind]::Utc) $tss = $ts.ToString("o") if(![datetime]::TryParse($tss, $null, [System.Globalization.DateTimeStyles]::RoundtripKind, [ref] $parsedValue)) { Throw ("failed to parse scalar {0} as DateTime" -f $Node) } return $parsedValue } } } if ($Node.Style -eq 'Plain') { $types = @([int], [long], [double], [boolean], [decimal]) foreach($i in $types){ $parsedValue = New-Object -TypeName $i.FullName if ($i.IsAssignableFrom([boolean])){ $result = $i::TryParse($Node,[ref]$parsedValue) } else { $result = $i::TryParse($Node, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue) } if( $result ) { return $parsedValue } } } if ($Node.Style -eq 'Plain' -and $Node.Value -in '','~','null','Null','NULL') { return $null } return $Node.Value } } function Convert-YamlMappingToHashtable { [CmdletBinding()] Param( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [YamlDotNet.RepresentationModel.YamlMappingNode]$Node, [switch] $Ordered ) PROCESS { if ($Ordered) { $ret = [ordered]@{} } else { $ret = @{} } foreach($i in $Node.Children.Keys) { $ret[$i.Value] = Convert-YamlDocumentToPSObject $Node.Children[$i] -Ordered:$Ordered } return $ret } } function Convert-YamlSequenceToArray { [CmdletBinding()] Param( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [YamlDotNet.RepresentationModel.YamlSequenceNode]$Node, [switch]$Ordered ) PROCESS { $ret = [System.Collections.Generic.List[object]](New-Object "System.Collections.Generic.List[object]") foreach($i in $Node.Children){ $ret.Add((Convert-YamlDocumentToPSObject $i -Ordered:$Ordered)) } return ,$ret } } function Convert-YamlDocumentToPSObject { [CmdletBinding()] Param( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [System.Object]$Node, [switch]$Ordered ) PROCESS { switch($Node.GetType().FullName){ "YamlDotNet.RepresentationModel.YamlMappingNode"{ return Convert-YamlMappingToHashtable $Node -Ordered:$Ordered } "YamlDotNet.RepresentationModel.YamlSequenceNode" { return Convert-YamlSequenceToArray $Node -Ordered:$Ordered } "YamlDotNet.RepresentationModel.YamlScalarNode" { return (Convert-ValueToProperType $Node) } } } } function Convert-HashtableToDictionary { Param( [Parameter(Mandatory=$true,ValueFromPipeline=$true)] [hashtable]$Data ) foreach($i in $($data.Keys)) { $Data[$i] = Convert-PSObjectToGenericObject $Data[$i] } return $Data } function Convert-OrderedHashtableToDictionary { Param( [Parameter(Mandatory=$true,ValueFromPipeline=$true)] [System.Collections.Specialized.OrderedDictionary] $Data ) foreach ($i in $($data.Keys)) { $Data[$i] = Convert-PSObjectToGenericObject $Data[$i] } return $Data } function Convert-ListToGenericList { Param( [Parameter(Mandatory=$false,ValueFromPipeline=$true)] [array]$Data=@() ) $ret = [System.Collections.Generic.List[object]](New-Object "System.Collections.Generic.List[object]") for($i=0; $i -lt $Data.Count; $i++) { $ret.Add((Convert-PSObjectToGenericObject $Data[$i])) } return ,$ret } function Convert-PSCustomObjectToDictionary { Param( [Parameter(Mandatory=$true,ValueFromPipeline=$true)] [PSCustomObject]$Data ) $ret = [System.Collections.Generic.Dictionary[string,object]](New-Object 'System.Collections.Generic.Dictionary[string,object]') foreach ($i in $Data.psobject.properties) { $ret[$i.Name] = Convert-PSObjectToGenericObject $i.Value } return $ret } function Convert-PSObjectToGenericObject { Param( [Parameter(Mandatory=$false,ValueFromPipeline=$true)] [System.Object]$Data ) if ($null -eq $data) { return $data } $dataType = $data.GetType() if ($data -isnot [System.Object]) { return $data -as $dataType } if ($dataType.FullName -eq "System.Management.Automation.PSCustomObject") { return Convert-PSCustomObjectToDictionary $data } elseif (([System.Collections.Specialized.OrderedDictionary].IsAssignableFrom($dataType))){ return Convert-OrderedHashtableToDictionary $data } elseif (([System.Collections.IDictionary].IsAssignableFrom($dataType))){ return Convert-HashtableToDictionary $data } elseif (([System.Collections.IList].IsAssignableFrom($dataType))) { return Convert-ListToGenericList $data } return $data -as $dataType } function ConvertFrom-Yaml { [CmdletBinding()] Param( [Parameter(Mandatory=$false, ValueFromPipeline=$true, Position=0)] [string]$Yaml, [switch]$AllDocuments=$false, [switch]$Ordered, [switch]$UseMergingParser=$false ) BEGIN { $d = "" } PROCESS { if($Yaml -is [string]) { $d += $Yaml + "`n" } } END { if($d -eq ""){ return } $documents = Get-YamlDocuments -Yaml $d -UseMergingParser:$UseMergingParser if (!$documents.Count) { return } if($documents.Count -eq 1){ return Convert-YamlDocumentToPSObject $documents[0].RootNode -Ordered:$Ordered } if(!$AllDocuments) { return Convert-YamlDocumentToPSObject $documents[0].RootNode -Ordered:$Ordered } $ret = @() foreach($i in $documents) { $ret += Convert-YamlDocumentToPSObject $i.RootNode -Ordered:$Ordered } return $ret } } $stringQuotingEmitterSource = @" using System; using System.Text.RegularExpressions; using YamlDotNet; using YamlDotNet.Core; using YamlDotNet.Serialization; using YamlDotNet.Serialization.EventEmitters; public class StringQuotingEmitter: ChainedEventEmitter { // Patterns from https://yaml.org/spec/1.2/spec.html#id2804356 private static Regex quotedRegex = new Regex(@`"^(\~|null|true|false|on|off|yes|no|y|n|[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?|[-+]?(\.inf))?$`", RegexOptions.Compiled | RegexOptions.IgnoreCase); public StringQuotingEmitter(IEventEmitter next): base(next) {} public override void Emit(ScalarEventInfo eventInfo, IEmitter emitter) { var typeCode = eventInfo.Source.Value != null ? Type.GetTypeCode(eventInfo.Source.Type) : TypeCode.Empty; switch (typeCode) { case TypeCode.Char: if (Char.IsDigit((char)eventInfo.Source.Value)) { eventInfo.Style = ScalarStyle.DoubleQuoted; } break; case TypeCode.String: var val = eventInfo.Source.Value.ToString(); if (quotedRegex.IsMatch(val)) { eventInfo.Style = ScalarStyle.DoubleQuoted; } else if (val.IndexOf('\n') > -1) { eventInfo.Style = ScalarStyle.Literal; } break; } base.Emit(eventInfo, emitter); } public static SerializerBuilder Add(SerializerBuilder builder) { return builder.WithEventEmitter(next => new StringQuotingEmitter(next)); } } "@ if (!([System.Management.Automation.PSTypeName]'StringQuotingEmitter').Type) { $referenceList = @([YamlDotNet.Serialization.Serializer].Assembly.Location,[Text.RegularExpressions.Regex].Assembly.Location) if ($PSVersionTable.PSEdition -eq "Core") { $referenceList += [IO.Directory]::GetFiles([IO.Path]::Combine($PSHOME, 'ref'), 'netstandard.dll', [IO.SearchOption]::TopDirectoryOnly) Add-Type -TypeDefinition $stringQuotingEmitterSource -ReferencedAssemblies $referenceList -Language CSharp -CompilerOptions "-nowarn:1701" } else { Add-Type -TypeDefinition $stringQuotingEmitterSource -ReferencedAssemblies $referenceList -Language CSharp } } function Get-Serializer { Param( [Parameter(Mandatory=$true)][SerializationOptions]$Options ) $builder = New-Object "YamlDotNet.Serialization.SerializerBuilder" if ($Options.HasFlag([SerializationOptions]::Roundtrip)) { $builder = $builder.EnsureRoundtrip() } if ($Options.HasFlag([SerializationOptions]::DisableAliases)) { $builder = $builder.DisableAliases() } if ($Options.HasFlag([SerializationOptions]::EmitDefaults)) { $builder = $builder.EmitDefaults() } if ($Options.HasFlag([SerializationOptions]::JsonCompatible)) { $builder = $builder.JsonCompatible() } if ($Options.HasFlag([SerializationOptions]::DefaultToStaticType)) { $builder = $builder.WithTypeResolver((New-Object "YamlDotNet.Serialization.TypeResolvers.StaticTypeResolver")) } if ($Options.HasFlag([SerializationOptions]::WithIndentedSequences)) { $builder = $builder.WithIndentedSequences() } $builder = [StringQuotingEmitter]::Add($builder) return $builder.Build() } function ConvertTo-Yaml { [CmdletBinding(DefaultParameterSetName = 'NoOptions')] Param( [Parameter(ValueFromPipeline = $true, Position=0)] [System.Object]$Data, [string]$OutFile, [Parameter(ParameterSetName = 'Options')] [SerializationOptions]$Options = [SerializationOptions]::Roundtrip, [Parameter(ParameterSetName = 'NoOptions')] [switch]$JsonCompatible, [switch]$KeepArray, [switch]$Force ) BEGIN { $d = [System.Collections.Generic.List[object]](New-Object "System.Collections.Generic.List[object]") } PROCESS { if($data -is [System.Object]) { $d.Add($data) } } END { if ($d -eq $null -or $d.Count -eq 0) { return } if ($d.Count -eq 1 -and !($KeepArray)) { $d = $d[0] } $norm = Convert-PSObjectToGenericObject $d if ($OutFile) { $parent = Split-Path $OutFile if (!(Test-Path $parent)) { Throw "Parent folder for specified path does not exist" } if ((Test-Path $OutFile) -and !$Force) { Throw "Target file already exists. Use -Force to overwrite." } $wrt = New-Object "System.IO.StreamWriter" $OutFile } else { $wrt = New-Object "System.IO.StringWriter" } if ($PSCmdlet.ParameterSetName -eq 'NoOptions') { $Options = 0 if ($JsonCompatible) { # No indent options :~( $Options = [SerializationOptions]::JsonCompatible } } try { $serializer = Get-Serializer $Options $serializer.Serialize($wrt, $norm) } catch{ $_ } finally { $wrt.Close() } if ($OutFile) { return } else { return $wrt.ToString() } } } New-Alias -Name cfy -Value ConvertFrom-Yaml New-Alias -Name cty -Value ConvertTo-Yaml Export-ModuleMember -Function ConvertFrom-Yaml,ConvertTo-Yaml -Alias cfy,cty b4ecc18a-3f58-457d-9476-f738efb6af42C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psm1 410615103150x0708417Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708416Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708415Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf8afa8d1-795a-4ea8-bdb7-b093630e53022b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708414Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf8afa8d1-795a-4ea8-bdb7-b093630e53022b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708413Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Load-Assembly { $libDir = Join-Path $here "lib" $assemblies = @{ "core" = Join-Path $libDir "netstandard2.1\YamlDotNet.dll"; "net45" = Join-Path $libDir "net45\YamlDotNet.dll"; "net35" = Join-Path $libDir "net35\YamlDotNet.dll"; } if ($PSVersionTable.Keys -contains "PSEdition") { if ($PSVersionTable.PSEdition -eq "Core") { return [Reflection.Assembly]::LoadFrom($assemblies["core"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies["net45"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies["net35"]) } } else { # Powershell 4.0 and lower do not know "PSEdition" yet return [Reflection.Assembly]::LoadFrom($assemblies["net35"]) } }f8afa8d1-795a-4ea8-bdb7-b093630e5302C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies.ps1 410515102150x0708412Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708411Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Initialize-Assemblies { $requiredTypes = @( "Parser", "MergingParser", "YamlStream", "YamlMappingNode", "YamlSequenceNode", "YamlScalarNode", "ChainedEventEmitter", "Serializer", "Deserializer", "SerializerBuilder", "StaticTypeResolver" ) $type = "YamlDotNet.Serialization.Serializer" -as [type] if (!$type) { return Load-Assembly } $yaml = $type.Assembly foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw "YamlDotNet is loaded but missing required types ($i). Older version installed on system?" } } }f5be2bf7-34df-49ca-ba95-548ee7b463a9C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies.ps1 410615103150x0708410Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7366d78d-fe4d-42e2-97a1-6804fc40cd5d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708409Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7366d78d-fe4d-42e2-97a1-6804fc40cd5d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708408Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104132150x0708407Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here "lib" $assemblies = @{ "core" = Join-Path $libDir "netstandard2.1\YamlDotNet.dll"; "net45" = Join-Path $libDir "net45\YamlDotNet.dll"; "net35" = Join-Path $libDir "net35\YamlDotNet.dll"; } if ($PSVersionTable.Keys -contains "PSEdition") { if ($PSVersionTable.PSEdition -eq "Core") { return [Reflection.Assembly]::LoadFrom($assemblies["core"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies["net45"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies["net35"]) } } else { # Powershell 4.0 and lower do not know "PSEdition" yet return [Reflection.Assembly]::LoadFrom($assemblies["net35"]) } } function Initialize-Assemblies { $requiredTypes = @( "Parser", "MergingParser", "YamlStream", "YamlMappingNode", "YamlSequenceNode", "YamlScalarNode", "ChainedEventEmitter", "Serializer", "Deserializer", "SerializerBuilder", "StaticTypeResolver" ) $type = "YamlDotNet.Serialization.Serializer" -as [type] if (!$type) { return Load-Assembly } $yaml = $type.Assembly foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw "YamlDotNet is loaded but missing required types ($i). Older version installed on system?" } } } Initialize-Assemblies | Out-Null a3b4d9ad-a88c-4e67-8120-d192c168c534C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies.ps1 410615103150x0708406Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708405Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708404Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708403Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708402Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # Module manifest for module 'powershell-yaml' # # Generated by: Gabriel Adrian Samfira # # Generated on: 10/01/2016 # @{ # Script module or binary module file associated with this manifest. RootModule = 'powershell-yaml.psm1' # Version number of this module. ModuleVersion = '0.4.7' # ID used to uniquely identify this module GUID = '6a75a662-7f53-425a-9777-ee61284407da' # Author of this module Author = 'Gabriel Adrian Samfira','Alessandro Pilotti' # Company or vendor of this module CompanyName = 'Cloudbase Solutions SRL' # Copyright statement for this module Copyright = '(c) 2016 Cloudbase Solutions SRL. All rights reserved.' # Description of the functionality provided by this module Description = 'Powershell module for serializing and deserializing YAML' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '3.0' # Script files (.ps1) that are run in the caller's environment prior to importing this module. ScriptsToProcess = @("Load-Assemblies.ps1") # Functions to export from this module FunctionsToExport = "ConvertTo-Yaml","ConvertFrom-Yaml" AliasesToExport = "cfy","cty" } 4f98b29f-7e0f-46bb-8b9c-33d9f3863e2aC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psd1 410615103150x0708401Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala37d1ad9-089d-4390-ae02-2a755ed457082b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708400Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala37d1ad9-089d-4390-ae02-2a755ed457082b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708399Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11@{ # Script module or binary module file associated with this manifest. RootModule = 'Invoke-AtomicRedTeam.psm1' # Version number of this module. ModuleVersion = '2.1.0' # ID used to uniquely identify this module GUID = '8f492621-18f8-432e-9532-b1d54d3e90bd' # Author of this module Author = 'Casey Smith @subTee, Josh Rickard @MSAdministrator, Carrie Roberts @OrOneEqualsOne, Matt Graeber @mattifestation' # Company or vendor of this module CompanyName = 'Red Canary, Inc.' # Copyright statement for this module Copyright = '(c) 2021 Red Canary. All rights reserved.' # Description of the functionality provided by this module Description = 'A PowerShell module that runs Atomic Red Team tests from yaml definition files.' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '5.0' # Modules that must be imported into the global environment prior to importing this module RequiredModules = @('powershell-yaml') # Script files (.ps1) that are run in the caller's environment prior to importing this module. # AtomicClassSchema.ps1 needs to be present in the caller's scope in order for the built-in classes to surface properly. ScriptsToProcess = @('Private\AtomicClassSchema.ps1', 'Public\config.ps1') # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. FunctionsToExport = @( 'Invoke-AtomicTest', 'Get-AtomicTechnique', 'New-AtomicTechnique', 'New-AtomicTest', 'New-AtomicTestInputArgument', 'New-AtomicTestDependency', 'Start-AtomicGUI', 'Stop-AtomicGUI', 'Invoke-SetupAtomicRunner', 'Invoke-GenerateNewSchedule', 'Invoke-RefreshExistingSchedule', 'Invoke-AtomicRunner', 'Get-Schedule', 'Invoke-KickoffAtomicRunner', 'Get-PreferredIPAddress' ) # Variables to export from this module VariablesToExport = '*' NestedModules = @( "Public\Default-ExecutionLogger.psm1", "Public\Attire-ExecutionLogger.psm1", "Public\Syslog-ExecutionLogger.psm1", "Public\WinEvent-ExecutionLogger.psm1" ) # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. PrivateData = @{ PSData = @{ # Tags applied to this module. These help with module discovery in online galleries. Tags = @('Security', 'Defense') # A URL to the license for this module. LicenseUri = 'https://github.com/redcanaryco/invoke-atomicredteam/blob/master/LICENSE.txt' # A URL to the main website for this project. ProjectUri = 'https://github.com/redcanaryco/invoke-atomicredteam' # A URL to an icon representing this module. # IconUri = '' # ReleaseNotes of this module ReleaseNotes = @' 1.0.2 ----- * Add support for custom execution loggers 1.0.1 ----- * Adding 'powershell-yaml' to RequiredModules in the module manifest 1.0.0 ----- * Initial release for submission to the PowerShell Gallery '@ } # End of PSData hashtable } # End of PrivateData hashtable } a37d1ad9-089d-4390-ae02-2a755ed45708C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1 410515102150x0708398Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6a19b68d-06ed-49fc-8aec-0f966f79484d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708397Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11 Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force $PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}6a19b68d-06ed-49fc-8aec-0f966f79484dC:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 410515102150x0708396Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local1ff25d67-532c-4a41-9122-e42c72f7eb882b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708395Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11. 'C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'1ff25d67-532c-4a41-9122-e42c72f7eb88 4096214420x0708394Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local 410615103150x0708393Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local02fa9b70-3201-45a0-9832-d3639c437f1c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708392Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local02fa9b70-3201-45a0-9832-d3639c437f1c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708391Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb8fd15f7-ff33-46d8-80a8-0c7aa095995d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708390Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb8fd15f7-ff33-46d8-80a8-0c7aa095995d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 5350414111100x0708389Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local336DefaultAppDomain 4096114410x0708388Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local 4673001305700x8020000000000000276676Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1Security-SeCreateGlobalPrivilege0x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 4673001305700x8020000000000000276675Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1Security-SeCreateGlobalPrivilege0x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 4688201331200x8020000000000000276674Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x540C:\Windows\System32\conhost.exe%%19360x150\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000276673Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe%%19360x14b0"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" NULL SID--0x0C:\Windows\explorer.exeMandatory Label\High Mandatory Level 4673001305700x8010000000000000276672Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 4673001305700x8010000000000000276671Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 11241100x800000000000000044931Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:00.456{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mheb2ex0.yka.ps12024-02-21 18:02:00.456ATTACKRANGE\Administrator 154100x800000000000000044930Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:00.010{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{0b642d80-2a40-65d6-cc00-00000000be02}5296C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECKATTACKRANGE\Administrator