4689001331300x8020000000000000276792Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x1998C:\Windows\System32\wbem\WMIC.exe
4688201331200x8020000000000000276791Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1998C:\Windows\System32\wbem\WMIC.exe%%19360x108cwmic OS get Version /format:listNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000276790Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x13acC:\Windows\System32\wbem\WMIC.exe
4688201331200x8020000000000000276789Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13acC:\Windows\System32\wbem\WMIC.exe%%19360x108cwmic OS get Caption /format:listNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000276788Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x1928C:\Windows\System32\wbem\WMIC.exe
4688201331200x8020000000000000276787Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1928C:\Windows\System32\wbem\WMIC.exe%%19360x108cC:\Windows\System32\wbem\wmic.exe computersystem get Domain /valueNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000276786Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x1190C:\Windows\System32\wbem\WMIC.exe
4688201331200x8020000000000000276785Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x11b4C:\Windows\System32\wbem\WmiPrvSE.exe%%19360x35cC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNULL SIDAR-WIN-DC$ATTACKRANGE0x3e4C:\Windows\System32\svchost.exeMandatory Label\System Mandatory Level
4688201331200x8020000000000000276784Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1190C:\Windows\System32\wbem\WMIC.exe%%19360x108cC:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /valueNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level
154100x800000000000000044948Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.978{0b642d80-3ac0-65d6-c902-00000000be02}6552C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM
154100x800000000000000044947Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.878{0b642d80-3ac0-65d6-c802-00000000be02}5036C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Caption /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM
154100x800000000000000044946Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.799{0b642d80-3ac0-65d6-c702-00000000be02}6440C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeC:\Windows\System32\wbem\wmic.exe computersystem get Domain /valueC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM
154100x800000000000000044945Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:40.633{0b642d80-3ac0-65d6-c502-00000000be02}4496C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeC:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /valueC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM
4689001331300x8020000000000000426613Securityar-win-2.attackrange.localNT AUTHORITY\NETWORK SERVICEAR-WIN-2$ATTACKRANGE0x3e40x00xa94C:\Windows\System32\wbem\WmiPrvSE.exe
4634001254500x8020000000000000276783Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1d2a593
4627001255400x8020000000000000276782Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1d2a59311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2851375338-1978525053-2422663219-4094}
ATTACKRANGE\Domain Controllers
%{S-1-5-21-2851375338-1978525053-2422663219-4031}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000276781Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x1d2a593KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::156874%%1833---%%18430x0%%1842
4672001254800x8020000000000000276780Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1d2a59SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
410515102150x0708575Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708574Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localcc1fd986-29f9-449f-963e-e75084a741d22b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708573Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708572Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708571Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localcc1fd986-29f9-449f-963e-e75084a741d22b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708570Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptcc1fd986-29f9-449f-963e-e75084a741d2
410615103150x0708569Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708568Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708567Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local75e0a0c6-9b02-4980-9f6e-cbf3993dda772b535b4c-a403-4565-9d75-b1fc8c18a9ac
4724001382400x8020000000000000276779Securityar-win-dc.attackrange.localTRUMAN_CLEMENTSATTACKRANGEATTACKRANGE\TRUMAN_CLEMENTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276778Securityar-win-dc.attackrange.local-TRUMAN_CLEMENTSATTACKRANGEATTACKRANGE\TRUMAN_CLEMENTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276777Securityar-win-dc.attackrange.localCECILE_DOWNSATTACKRANGEATTACKRANGE\CECILE_DOWNSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276776Securityar-win-dc.attackrange.local-CECILE_DOWNSATTACKRANGEATTACKRANGE\CECILE_DOWNSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276775Securityar-win-dc.attackrange.localTHADDEUS_TOWNSENDATTACKRANGEATTACKRANGE\THADDEUS_TOWNSENDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276774Securityar-win-dc.attackrange.local-THADDEUS_TOWNSENDATTACKRANGEATTACKRANGE\THADDEUS_TOWNSENDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276773Securityar-win-dc.attackrange.localJOANN_PETERSENATTACKRANGEATTACKRANGE\JOANN_PETERSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276772Securityar-win-dc.attackrange.local-JOANN_PETERSENATTACKRANGEATTACKRANGE\JOANN_PETERSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276771Securityar-win-dc.attackrange.localMARGUERITE_GARCIAATTACKRANGEATTACKRANGE\MARGUERITE_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276770Securityar-win-dc.attackrange.local-MARGUERITE_GARCIAATTACKRANGEATTACKRANGE\MARGUERITE_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276769Securityar-win-dc.attackrange.localJOSEFA_MARSHATTACKRANGEATTACKRANGE\JOSEFA_MARSHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276768Securityar-win-dc.attackrange.local-JOSEFA_MARSHATTACKRANGEATTACKRANGE\JOSEFA_MARSHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276767Securityar-win-dc.attackrange.localPEGGY_WYNNATTACKRANGEATTACKRANGE\PEGGY_WYNNATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276766Securityar-win-dc.attackrange.local-PEGGY_WYNNATTACKRANGEATTACKRANGE\PEGGY_WYNNATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276765Securityar-win-dc.attackrange.localELISEO_CHANATTACKRANGEATTACKRANGE\ELISEO_CHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276764Securityar-win-dc.attackrange.local-ELISEO_CHANATTACKRANGEATTACKRANGE\ELISEO_CHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276763Securityar-win-dc.attackrange.localSASHA_CHRISTENSENATTACKRANGEATTACKRANGE\SASHA_CHRISTENSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276762Securityar-win-dc.attackrange.local-SASHA_CHRISTENSENATTACKRANGEATTACKRANGE\SASHA_CHRISTENSENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276761Securityar-win-dc.attackrange.localBRANDEN_FROSTATTACKRANGEATTACKRANGE\BRANDEN_FROSTATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276760Securityar-win-dc.attackrange.local-BRANDEN_FROSTATTACKRANGEATTACKRANGE\BRANDEN_FROSTATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276759Securityar-win-dc.attackrange.localNATALIA_RODRIGUEZATTACKRANGEATTACKRANGE\NATALIA_RODRIGUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276758Securityar-win-dc.attackrange.local-NATALIA_RODRIGUEZATTACKRANGEATTACKRANGE\NATALIA_RODRIGUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276757Securityar-win-dc.attackrange.localFAY_HOLCOMBATTACKRANGEATTACKRANGE\FAY_HOLCOMBATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276756Securityar-win-dc.attackrange.local-FAY_HOLCOMBATTACKRANGEATTACKRANGE\FAY_HOLCOMBATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276755Securityar-win-dc.attackrange.localROBT_VINSONATTACKRANGEATTACKRANGE\ROBT_VINSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276754Securityar-win-dc.attackrange.local-ROBT_VINSONATTACKRANGEATTACKRANGE\ROBT_VINSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276753Securityar-win-dc.attackrange.localMARYLOU_ORRATTACKRANGEATTACKRANGE\MARYLOU_ORRATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276752Securityar-win-dc.attackrange.local-MARYLOU_ORRATTACKRANGEATTACKRANGE\MARYLOU_ORRATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276751Securityar-win-dc.attackrange.localLARRY_ARMSTRONGATTACKRANGEATTACKRANGE\LARRY_ARMSTRONGATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276750Securityar-win-dc.attackrange.local-LARRY_ARMSTRONGATTACKRANGEATTACKRANGE\LARRY_ARMSTRONGATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276749Securityar-win-dc.attackrange.localFRANKIE_COLLIERATTACKRANGEATTACKRANGE\FRANKIE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276748Securityar-win-dc.attackrange.local-FRANKIE_COLLIERATTACKRANGEATTACKRANGE\FRANKIE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276747Securityar-win-dc.attackrange.localCLYDE_DICKERSONATTACKRANGEATTACKRANGE\CLYDE_DICKERSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276746Securityar-win-dc.attackrange.local-CLYDE_DICKERSONATTACKRANGEATTACKRANGE\CLYDE_DICKERSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:22 PM---------
4724001382400x8020000000000000276745Securityar-win-dc.attackrange.localGARY_CARRILLOATTACKRANGEATTACKRANGE\GARY_CARRILLOATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276744Securityar-win-dc.attackrange.local-GARY_CARRILLOATTACKRANGEATTACKRANGE\GARY_CARRILLOATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:21 PM---------
02/21/2024 18:02:22.675
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=TRUMAN_CLEMENTS@attackrange.local
name=TRUMAN_CLEMENTS
displayName=TRUMAN_CLEMENTS
distinguishedName=CN=TRUMAN_CLEMENTS,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local
sn=TRUMAN_CLEMENTS
cn=TRUMAN_CLEMENTS
Object Details:
sAMAccountType=805306368
sAMAccountName=TRUMAN_CLEMENTS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2030
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=977bd7cc-7b6f-4107-84b6-64c8b06c1487
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.46 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82061
uSNCreated=23393
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ID-pinkandbl-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=BA-car-distlist1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=DE-paulaliza-distlist1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=ED-ich-admingroup1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.757
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=TRUMAN_CLEMENTS@attackrange.local
name=TRUMAN_CLEMENTS
displayName=TRUMAN_CLEMENTS
distinguishedName=CN=TRUMAN_CLEMENTS,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local
sn=TRUMAN_CLEMENTS
cn=TRUMAN_CLEMENTS
Object Details:
sAMAccountType=805306368
sAMAccountName=TRUMAN_CLEMENTS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2030
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=977bd7cc-7b6f-4107-84b6-64c8b06c1487
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.46 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82061
uSNCreated=23393
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ID-pinkandbl-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=BA-car-distlist1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=DE-paulaliza-distlist1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=ED-ich-admingroup1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.612
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=CECILE_DOWNS@attackrange.local
name=CECILE_DOWNS
displayName=CECILE_DOWNS
distinguishedName=CN=CECILE_DOWNS,OU=Devices,OU=OGC,OU=Tier 2,DC=attackrange,DC=local
sn=CECILE_DOWNS
cn=CECILE_DOWNS
Object Details:
sAMAccountType=805306368
sAMAccountName=CECILE_DOWNS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2265
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b0f1299a-ef72-4b0d-b5b2-904fdfd1b23b
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:53.38 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82059
uSNCreated=25044
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010101181633.0Z
managedObjects=CN=CE-mrv-distlist1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=CE-iva-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local
memberOf=CN=WI-1.2-admingroup1,OU=ServiceAccounts,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=EM-car-distlist1,OU=Test,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=41-nen-distlist1,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=CL-azukiki69-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-hormiga02-admingroup1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=JO-luc-distlist1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=RO-360-distlist1,OU=Groups,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=LA-cjgcdmbbd-distlist1,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=Certificate Service DCOM Access,CN=Builtin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.710
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=CECILE_DOWNS@attackrange.local
name=CECILE_DOWNS
displayName=CECILE_DOWNS
distinguishedName=CN=CECILE_DOWNS,OU=Devices,OU=OGC,OU=Tier 2,DC=attackrange,DC=local
sn=CECILE_DOWNS
cn=CECILE_DOWNS
Object Details:
sAMAccountType=805306368
sAMAccountName=CECILE_DOWNS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2265
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b0f1299a-ef72-4b0d-b5b2-904fdfd1b23b
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:53.38 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82059
uSNCreated=25044
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010101181633.0Z
managedObjects=CN=CE-mrv-distlist1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=CE-iva-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local
memberOf=CN=WI-1.2-admingroup1,OU=ServiceAccounts,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=EM-car-distlist1,OU=Test,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=41-nen-distlist1,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=CL-azukiki69-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-hormiga02-admingroup1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=JO-luc-distlist1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=RO-360-distlist1,OU=Groups,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=LA-cjgcdmbbd-distlist1,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=Certificate Service DCOM Access,CN=Builtin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.581
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=THADDEUS_TOWNSEND@attackrange.local
name=THADDEUS_TOWNSEND
displayName=THADDEUS_TOWNSEND
distinguishedName=CN=THADDEUS_TOWNSEND,OU=GOO,OU=Tier 2,DC=attackrange,DC=local
sn=THADDEUS_TOWNSEND
cn=THADDEUS_TOWNSEND
Object Details:
sAMAccountType=805306368
sAMAccountName=THADDEUS_TOWNSEND
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1535
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=9ee3f21f-778f-4619-af72-15f3d2bb6f8c
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:50.53 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82057
uSNCreated=19913
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=CO-909469223-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MO-arabe1987-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=DA-oma-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=AM-ricardito-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=YO-ame197979-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=HE-JESUS0123-admingroup1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=BE-compilaci-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=41-ACUARIO22-distlist1,OU=BDE,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.663
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=THADDEUS_TOWNSEND@attackrange.local
name=THADDEUS_TOWNSEND
displayName=THADDEUS_TOWNSEND
distinguishedName=CN=THADDEUS_TOWNSEND,OU=GOO,OU=Tier 2,DC=attackrange,DC=local
sn=THADDEUS_TOWNSEND
cn=THADDEUS_TOWNSEND
Object Details:
sAMAccountType=805306368
sAMAccountName=THADDEUS_TOWNSEND
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1535
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=9ee3f21f-778f-4619-af72-15f3d2bb6f8c
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:50.53 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82057
uSNCreated=19913
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=CO-909469223-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MO-arabe1987-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=DA-oma-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AM-1.20883E1-distlist1,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=AM-ricardito-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=YO-ame197979-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=HE-JESUS0123-admingroup1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=BE-compilaci-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=41-ACUARIO22-distlist1,OU=BDE,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.632
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=JOANN_PETERSEN@attackrange.local
name=JOANN_PETERSEN
displayName=JOANN_PETERSEN
distinguishedName=CN=JOANN_PETERSEN,OU=Test,OU=HRE,OU=Tier 1,DC=attackrange,DC=local
sn=JOANN_PETERSEN
cn=JOANN_PETERSEN
Object Details:
sAMAccountType=805306368
sAMAccountName=JOANN_PETERSEN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1227
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b80a668a-2741-4835-b05b-17e311084866
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:49.37 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82055
uSNCreated=17746
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=YE-hay-distlist1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=ED-110-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.534
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=JOANN_PETERSEN@attackrange.local
name=JOANN_PETERSEN
displayName=JOANN_PETERSEN
distinguishedName=CN=JOANN_PETERSEN,OU=Test,OU=HRE,OU=Tier 1,DC=attackrange,DC=local
sn=JOANN_PETERSEN
cn=JOANN_PETERSEN
Object Details:
sAMAccountType=805306368
sAMAccountName=JOANN_PETERSEN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1227
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b80a668a-2741-4835-b05b-17e311084866
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:49.37 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82055
uSNCreated=17746
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=YE-hay-distlist1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=ED-110-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.487
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARGUERITE_GARCIA@attackrange.local
name=MARGUERITE_GARCIA
displayName=MARGUERITE_GARCIA
distinguishedName=CN=MARGUERITE_GARCIA,OU=Groups,OU=TST,OU=Stage,DC=attackrange,DC=local
sn=MARGUERITE_GARCIA
cn=MARGUERITE_GARCIA
Object Details:
sAMAccountType=805306368
sAMAccountName=MARGUERITE_GARCIA
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1394
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b775cf61-d859-46b5-ae6f-3f8043f46533
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:50.18 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82053
uSNCreated=18921
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010101181633.0Z
memberOf=CN=AB-arual1103-distlist1,OU=Groups,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=LY-jos-admingroup1,OU=Devices,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=JA-swe-admingroup1,OU=Groups,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TI-1154talis-admingroup1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.570
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARGUERITE_GARCIA@attackrange.local
name=MARGUERITE_GARCIA
displayName=MARGUERITE_GARCIA
distinguishedName=CN=MARGUERITE_GARCIA,OU=Groups,OU=TST,OU=Stage,DC=attackrange,DC=local
sn=MARGUERITE_GARCIA
cn=MARGUERITE_GARCIA
Object Details:
sAMAccountType=805306368
sAMAccountName=MARGUERITE_GARCIA
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1394
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b775cf61-d859-46b5-ae6f-3f8043f46533
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:50.18 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82053
uSNCreated=18921
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010101181633.0Z
memberOf=CN=AB-arual1103-distlist1,OU=Groups,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=LY-jos-admingroup1,OU=Devices,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=JA-swe-admingroup1,OU=Groups,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TI-1154talis-admingroup1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.538
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=JOSEFA_MARSH@attackrange.local
name=JOSEFA_MARSH
displayName=JOSEFA_MARSH
distinguishedName=CN=JOSEFA_MARSH,OU=TST,OU=Tier 2,DC=attackrange,DC=local
sn=JOSEFA_MARSH
cn=JOSEFA_MARSH
Object Details:
sAMAccountType=805306368
sAMAccountName=JOSEFA_MARSH
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1508
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=adbddb94-feca-4979-954e-cea466aa0676
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:50.46 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82051
uSNCreated=19723
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
managedObjects=CN=JO-betyluis2-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=RA-320-admingroup1,OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=Remote Management Users,CN=Builtin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.440
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=JOSEFA_MARSH@attackrange.local
name=JOSEFA_MARSH
displayName=JOSEFA_MARSH
distinguishedName=CN=JOSEFA_MARSH,OU=TST,OU=Tier 2,DC=attackrange,DC=local
sn=JOSEFA_MARSH
cn=JOSEFA_MARSH
Object Details:
sAMAccountType=805306368
sAMAccountName=JOSEFA_MARSH
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1508
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=adbddb94-feca-4979-954e-cea466aa0676
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:50.46 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82051
uSNCreated=19723
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
managedObjects=CN=JO-betyluis2-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=RA-320-admingroup1,OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=Remote Management Users,CN=Builtin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.507
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=PEGGY_WYNN@attackrange.local
name=PEGGY_WYNN
displayName=PEGGY_WYNN
distinguishedName=CN=PEGGY_WYNN,OU=ServiceAccounts,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
sn=PEGGY_WYNN
cn=PEGGY_WYNN
Object Details:
sAMAccountType=805306368
sAMAccountName=PEGGY_WYNN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1930
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=d90e7146-6ac2-4c9b-8bbb-e72bda7b7a37
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.24 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82049
uSNCreated=22691
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=ER-mor-distlist1,OU=Groups,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=ME-545631255-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SH-daresadr1-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-ESCRIBEME-admingroup1,OU=Devices,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=VI-mercrefox-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.409
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=PEGGY_WYNN@attackrange.local
name=PEGGY_WYNN
displayName=PEGGY_WYNN
distinguishedName=CN=PEGGY_WYNN,OU=ServiceAccounts,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
sn=PEGGY_WYNN
cn=PEGGY_WYNN
Object Details:
sAMAccountType=805306368
sAMAccountName=PEGGY_WYNN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1930
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=d90e7146-6ac2-4c9b-8bbb-e72bda7b7a37
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.24 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82049
uSNCreated=22691
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=ER-mor-distlist1,OU=Groups,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=ME-545631255-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SH-daresadr1-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-ESCRIBEME-admingroup1,OU=Devices,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=VI-mercrefox-distlist1,OU=SEC,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.378
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=ELISEO_CHAN@attackrange.local
name=ELISEO_CHAN
displayName=ELISEO_CHAN
distinguishedName=CN=ELISEO_CHAN,OU=Grouper-Groups,DC=attackrange,DC=local
sn=ELISEO_CHAN
cn=ELISEO_CHAN
Object Details:
sAMAccountType=805306368
sAMAccountName=ELISEO_CHAN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1972
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=c9053b23-fb4e-4b31-ba4c-2a4ed662aec2
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.33 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82047
uSNCreated=22986
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714042433.0Z
memberOf=CN=VI-1254guapa-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=LO-503-distlist1,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=MA-ca4-admingroup1,OU=FSR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.460
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=ELISEO_CHAN@attackrange.local
name=ELISEO_CHAN
displayName=ELISEO_CHAN
distinguishedName=CN=ELISEO_CHAN,OU=Grouper-Groups,DC=attackrange,DC=local
sn=ELISEO_CHAN
cn=ELISEO_CHAN
Object Details:
sAMAccountType=805306368
sAMAccountName=ELISEO_CHAN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1972
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=c9053b23-fb4e-4b31-ba4c-2a4ed662aec2
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.33 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82047
uSNCreated=22986
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714042433.0Z
memberOf=CN=VI-1254guapa-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=LO-503-distlist1,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=MA-ca4-admingroup1,OU=FSR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.331
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=SASHA_CHRISTENSEN@attackrange.local
name=SASHA_CHRISTENSEN
displayName=SASHA_CHRISTENSEN
distinguishedName=CN=SASHA_CHRISTENSEN,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local
sn=SASHA_CHRISTENSEN
cn=SASHA_CHRISTENSEN
Object Details:
sAMAccountType=805306368
sAMAccountName=SASHA_CHRISTENSEN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2652
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=e04682bf-9308-4716-82a5-0d247bac53fa
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:55.01 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82045
uSNCreated=27762
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=FR-af0ck1z91-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=NA-pri-admingroup1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.429
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=SASHA_CHRISTENSEN@attackrange.local
name=SASHA_CHRISTENSEN
displayName=SASHA_CHRISTENSEN
distinguishedName=CN=SASHA_CHRISTENSEN,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local
sn=SASHA_CHRISTENSEN
cn=SASHA_CHRISTENSEN
Object Details:
sAMAccountType=805306368
sAMAccountName=SASHA_CHRISTENSEN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2652
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=e04682bf-9308-4716-82a5-0d247bac53fa
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:55.01 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82045
uSNCreated=27762
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=FR-af0ck1z91-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=NA-pri-admingroup1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.285
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=BRANDEN_FROST@attackrange.local
name=BRANDEN_FROST
displayName=BRANDEN_FROST
distinguishedName=CN=BRANDEN_FROST,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
sn=BRANDEN_FROST
cn=BRANDEN_FROST
Object Details:
sAMAccountType=805306368
sAMAccountName=BRANDEN_FROST
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2216
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=62bdabb4-2cb2-43a6-b284-b81bcc17c3f0
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:53.27 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82043
uSNCreated=24699
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
managedObjects=CN=BR-jos-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local
memberOf=CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=AN-mar-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=DE-mar-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=DW-gelsomina-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=VA-sil-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=CL-141-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.382
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=BRANDEN_FROST@attackrange.local
name=BRANDEN_FROST
displayName=BRANDEN_FROST
distinguishedName=CN=BRANDEN_FROST,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
sn=BRANDEN_FROST
cn=BRANDEN_FROST
Object Details:
sAMAccountType=805306368
sAMAccountName=BRANDEN_FROST
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2216
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=62bdabb4-2cb2-43a6-b284-b81bcc17c3f0
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:53.27 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82043
uSNCreated=24699
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
managedObjects=CN=BR-jos-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local
memberOf=CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=AN-mar-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=DE-mar-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=DW-gelsomina-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=VA-sil-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=CL-141-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.335
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=NATALIA_RODRIGUEZ@attackrange.local
name=NATALIA_RODRIGUEZ
displayName=NATALIA_RODRIGUEZ
distinguishedName=CN=NATALIA_RODRIGUEZ,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
sn=NATALIA_RODRIGUEZ
cn=NATALIA_RODRIGUEZ
Object Details:
sAMAccountType=805306368
sAMAccountName=NATALIA_RODRIGUEZ
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3419
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=d7ab2901-a24c-4a33-b71e-d59896b627fc
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:57.35 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82041
uSNCreated=33153
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=QU-aur-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.237
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=NATALIA_RODRIGUEZ@attackrange.local
name=NATALIA_RODRIGUEZ
displayName=NATALIA_RODRIGUEZ
distinguishedName=CN=NATALIA_RODRIGUEZ,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
sn=NATALIA_RODRIGUEZ
cn=NATALIA_RODRIGUEZ
Object Details:
sAMAccountType=805306368
sAMAccountName=NATALIA_RODRIGUEZ
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3419
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=d7ab2901-a24c-4a33-b71e-d59896b627fc
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:57.35 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82041
uSNCreated=33153
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=QU-aur-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.190
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=FAY_HOLCOMB@attackrange.local
name=FAY_HOLCOMB
displayName=FAY_HOLCOMB
distinguishedName=CN=FAY_HOLCOMB,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local
sn=FAY_HOLCOMB
cn=FAY_HOLCOMB
Object Details:
sAMAccountType=805306368
sAMAccountName=FAY_HOLCOMB
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2234
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=7c620f57-4749-476b-9722-255919ff4dd2
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:53.31 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82039
uSNCreated=24826
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=HO-pum-distlist1,OU=Test,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mus-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=VI-eug-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=NA-memyselfi-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=MA-776-distlist1,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.159
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=ROBT_VINSON@attackrange.local
name=ROBT_VINSON
displayName=ROBT_VINSON
distinguishedName=CN=ROBT_VINSON,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local
sn=ROBT_VINSON
cn=ROBT_VINSON
Object Details:
sAMAccountType=805306368
sAMAccountName=ROBT_VINSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1872
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=24a604fd-799f-40e5-836b-54f5251dff02
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.09 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82037
uSNCreated=22284
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=CA-mor-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=DU-jos-distlist1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=LA-bil-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-yah-distlist1,OU=Devices,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=JO-gar-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=ID-572-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=RU-270-admingroup1,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.112
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARYLOU_ORR@attackrange.local
name=MARYLOU_ORR
displayName=MARYLOU_ORR
distinguishedName=CN=MARYLOU_ORR,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local
sn=MARYLOU_ORR
cn=MARYLOU_ORR
Object Details:
sAMAccountType=805306368
sAMAccountName=MARYLOU_ORR
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1595
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=72b79fa7-b0ae-45e0-acf5-ef321d6f7d62
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:51.08 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82035
uSNCreated=20334
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=BE-pau-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=ER-bal-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=CO-bellotali-admingroup1,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=TR-260-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=LA-amoadrake-admingroup1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=AU-chi-admingroup1,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=YO-aldo18696-admingroup1,OU=Devices,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.081
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=LARRY_ARMSTRONG@attackrange.local
name=LARRY_ARMSTRONG
displayName=LARRY_ARMSTRONG
distinguishedName=CN=LARRY_ARMSTRONG,OU=FIN,OU=Tier 1,DC=attackrange,DC=local
sn=LARRY_ARMSTRONG
cn=LARRY_ARMSTRONG
Object Details:
sAMAccountType=805306368
sAMAccountName=LARRY_ARMSTRONG
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3528
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=5390da29-1743-47e7-a12f-351422ddee97
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:57.58 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82033
uSNCreated=33920
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z
memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=MA-elemarioe-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=BR-14omar09t-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-20Mayo199-distlist1,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=DE-bou-distlist1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AU-her-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=HE-cue-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.035
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=FRANKIE_COLLIER@attackrange.local
name=FRANKIE_COLLIER
displayName=FRANKIE_COLLIER
distinguishedName=CN=FRANKIE_COLLIER,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local
sn=FRANKIE_COLLIER
cn=FRANKIE_COLLIER
Object Details:
sAMAccountType=805306368
sAMAccountName=FRANKIE_COLLIER
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2691
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=dfafbd08-6a48-4b67-bf51-bcd3aeabd9f7
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:55.09 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82031
uSNCreated=28035
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=JA-der-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=AV-163-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=JA-patitomoj-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RE-3hotmail3-admingroup1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=RA-albertito-admingroup1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AN-izzie3331-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.288
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=FAY_HOLCOMB@attackrange.local
name=FAY_HOLCOMB
displayName=FAY_HOLCOMB
distinguishedName=CN=FAY_HOLCOMB,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local
sn=FAY_HOLCOMB
cn=FAY_HOLCOMB
Object Details:
sAMAccountType=805306368
sAMAccountName=FAY_HOLCOMB
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2234
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=7c620f57-4749-476b-9722-255919ff4dd2
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:53.31 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82039
uSNCreated=24826
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=HO-pum-distlist1,OU=Test,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mus-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=VI-eug-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=JE-diferente-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=NA-memyselfi-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=MA-776-distlist1,OU=Test,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.257
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=ROBT_VINSON@attackrange.local
name=ROBT_VINSON
displayName=ROBT_VINSON
distinguishedName=CN=ROBT_VINSON,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local
sn=ROBT_VINSON
cn=ROBT_VINSON
Object Details:
sAMAccountType=805306368
sAMAccountName=ROBT_VINSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1872
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=24a604fd-799f-40e5-836b-54f5251dff02
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:52.09 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82037
uSNCreated=22284
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=CA-mor-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=DU-jos-distlist1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=LA-bil-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-yah-distlist1,OU=Devices,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=JO-gar-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=ID-572-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=RU-270-admingroup1,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.209
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARYLOU_ORR@attackrange.local
name=MARYLOU_ORR
displayName=MARYLOU_ORR
distinguishedName=CN=MARYLOU_ORR,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local
sn=MARYLOU_ORR
cn=MARYLOU_ORR
Object Details:
sAMAccountType=805306368
sAMAccountName=MARYLOU_ORR
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1595
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=72b79fa7-b0ae-45e0-acf5-ef321d6f7d62
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:51.08 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82035
uSNCreated=20334
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=BE-pau-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=ER-bal-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=CO-bellotali-admingroup1,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=TR-260-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=LA-amoadrake-admingroup1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=AU-chi-admingroup1,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=YO-aldo18696-admingroup1,OU=Devices,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.178
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=LARRY_ARMSTRONG@attackrange.local
name=LARRY_ARMSTRONG
displayName=LARRY_ARMSTRONG
distinguishedName=CN=LARRY_ARMSTRONG,OU=FIN,OU=Tier 1,DC=attackrange,DC=local
sn=LARRY_ARMSTRONG
cn=LARRY_ARMSTRONG
Object Details:
sAMAccountType=805306368
sAMAccountName=LARRY_ARMSTRONG
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3528
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=5390da29-1743-47e7-a12f-351422ddee97
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:57.58 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82033
uSNCreated=33920
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z
memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=MA-elemarioe-distlist1,OU=ServiceAccounts,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=BR-14omar09t-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=RO-20Mayo199-distlist1,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=DE-bou-distlist1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AU-her-distlist1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=HE-cue-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.131
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=FRANKIE_COLLIER@attackrange.local
name=FRANKIE_COLLIER
displayName=FRANKIE_COLLIER
distinguishedName=CN=FRANKIE_COLLIER,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local
sn=FRANKIE_COLLIER
cn=FRANKIE_COLLIER
Object Details:
sAMAccountType=805306368
sAMAccountName=FRANKIE_COLLIER
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2691
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=dfafbd08-6a48-4b67-bf51-bcd3aeabd9f7
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:55.09 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82031
uSNCreated=28035
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=NE-mariquita-admingroup1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=JA-der-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=AV-163-distlist1,OU=Devices,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=JA-patitomoj-admingroup1,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RE-3hotmail3-admingroup1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=RA-albertito-admingroup1,OU=Test,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=AN-izzie3331-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.084
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=CLYDE_DICKERSON@attackrange.local
name=CLYDE_DICKERSON
displayName=CLYDE_DICKERSON
distinguishedName=CN=CLYDE_DICKERSON,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local
sn=CLYDE_DICKERSON
cn=CLYDE_DICKERSON
Object Details:
sAMAccountType=805306368
sAMAccountName=CLYDE_DICKERSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2604
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=7cc38f7c-9dec-4385-a08e-a64f9502b388
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:54.51 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82029
uSNCreated=27426
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=AL-gui-admingroup1,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=BI-170-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=WE-cab-admingroup1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=LA-cupidon21-distlist1,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:22.022
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GARY_CARRILLO@attackrange.local
name=GARY_CARRILLO
displayName=GARY_CARRILLO
distinguishedName=CN=GARY_CARRILLO,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local
sn=GARY_CARRILLO
cn=GARY_CARRILLO
Object Details:
sAMAccountType=805306368
sAMAccountName=GARY_CARRILLO
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2024
primaryGroupID=513
pwdLastSet=06:02.21 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=392e8c32-9f9d-41c2-aacf-5f83212134f7
whenChanged=06:02.21 PM, Wed 02/21/2024
whenCreated=09:52.45 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82027
uSNCreated=23351
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
4724001382400x8020000000000000276743Securityar-win-dc.attackrange.localKRISTY_HERNANDEZATTACKRANGEATTACKRANGE\KRISTY_HERNANDEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276742Securityar-win-dc.attackrange.local-KRISTY_HERNANDEZATTACKRANGEATTACKRANGE\KRISTY_HERNANDEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:21 PM---------
4724001382400x8020000000000000276741Securityar-win-dc.attackrange.localGERTRUDE_DONALDSONATTACKRANGEATTACKRANGE\GERTRUDE_DONALDSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276740Securityar-win-dc.attackrange.local-GERTRUDE_DONALDSONATTACKRANGEATTACKRANGE\GERTRUDE_DONALDSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:21 PM---------
4689001331300x8020000000000000426612Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x122cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
02/21/2024 18:02:21.987
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=CLYDE_DICKERSON@attackrange.local
name=CLYDE_DICKERSON
displayName=CLYDE_DICKERSON
distinguishedName=CN=CLYDE_DICKERSON,OU=Groups,OU=ESM,OU=Stage,DC=attackrange,DC=local
sn=CLYDE_DICKERSON
cn=CLYDE_DICKERSON
Object Details:
sAMAccountType=805306368
sAMAccountName=CLYDE_DICKERSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2604
primaryGroupID=513
pwdLastSet=06:02.22 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=7cc38f7c-9dec-4385-a08e-a64f9502b388
whenChanged=06:02.22 PM, Wed 02/21/2024
whenCreated=09:54.51 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82029
uSNCreated=27426
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=AL-gui-admingroup1,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=BI-170-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=WE-cab-admingroup1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-30j-distlist1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=LA-cupidon21-distlist1,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=SE-dol240675-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:21.925
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GARY_CARRILLO@attackrange.local
name=GARY_CARRILLO
displayName=GARY_CARRILLO
distinguishedName=CN=GARY_CARRILLO,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local
sn=GARY_CARRILLO
cn=GARY_CARRILLO
Object Details:
sAMAccountType=805306368
sAMAccountName=GARY_CARRILLO
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2024
primaryGroupID=513
pwdLastSet=06:02.21 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=392e8c32-9f9d-41c2-aacf-5f83212134f7
whenChanged=06:02.21 PM, Wed 02/21/2024
whenCreated=09:52.45 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82027
uSNCreated=23351
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:21.862
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KRISTY_HERNANDEZ@attackrange.local
name=KRISTY_HERNANDEZ
displayName=KRISTY_HERNANDEZ
distinguishedName=CN=KRISTY_HERNANDEZ,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local
sn=KRISTY_HERNANDEZ
cn=KRISTY_HERNANDEZ
Object Details:
sAMAccountType=805306368
sAMAccountName=KRISTY_HERNANDEZ
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1843
primaryGroupID=513
pwdLastSet=06:02.21 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=7fb3a18b-7a0f-4aa0-913b-b58c8460ba39
whenChanged=06:02.21 PM, Wed 02/21/2024
whenCreated=09:52.00 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82025
uSNCreated=22079
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
managedObjects=CN=KR-bwoodchic-distlist1,OU=T0-Devices,OU=Tier 0,OU=Admin,DC=attackrange,DC=local
memberOf=CN=LU-ayo-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RI-BET-distlist1,OU=ServiceAccounts,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=FA-lau-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=TO-139680596-admingroup1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=LY-211-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=RE-230-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:21.815
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GERTRUDE_DONALDSON@attackrange.local
name=GERTRUDE_DONALDSON
displayName=GERTRUDE_DONALDSON
distinguishedName=CN=GERTRUDE_DONALDSON,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
sn=GERTRUDE_DONALDSON
cn=GERTRUDE_DONALDSON
Object Details:
sAMAccountType=805306368
sAMAccountName=GERTRUDE_DONALDSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2451
primaryGroupID=513
pwdLastSet=06:02.21 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=84f142cf-f1e4-4b00-9dd3-bb69f09ba1d9
whenChanged=06:02.21 PM, Wed 02/21/2024
whenCreated=09:54.19 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82023
uSNCreated=26350
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=BE-100-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=NA-wer-admingroup1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=GE-art-distlist1,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:21.959
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KRISTY_HERNANDEZ@attackrange.local
name=KRISTY_HERNANDEZ
displayName=KRISTY_HERNANDEZ
distinguishedName=CN=KRISTY_HERNANDEZ,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local
sn=KRISTY_HERNANDEZ
cn=KRISTY_HERNANDEZ
Object Details:
sAMAccountType=805306368
sAMAccountName=KRISTY_HERNANDEZ
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1843
primaryGroupID=513
pwdLastSet=06:02.21 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=7fb3a18b-7a0f-4aa0-913b-b58c8460ba39
whenChanged=06:02.21 PM, Wed 02/21/2024
whenCreated=09:52.00 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82025
uSNCreated=22079
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
managedObjects=CN=KR-bwoodchic-distlist1,OU=T0-Devices,OU=Tier 0,OU=Admin,DC=attackrange,DC=local
memberOf=CN=LU-ayo-distlist1,OU=Stage,DC=attackrange,DC=local|CN=RI-BET-distlist1,OU=ServiceAccounts,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=FA-lau-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=TO-139680596-admingroup1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=LY-211-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=RE-230-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:21.912
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GERTRUDE_DONALDSON@attackrange.local
name=GERTRUDE_DONALDSON
displayName=GERTRUDE_DONALDSON
distinguishedName=CN=GERTRUDE_DONALDSON,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
sn=GERTRUDE_DONALDSON
cn=GERTRUDE_DONALDSON
Object Details:
sAMAccountType=805306368
sAMAccountName=GERTRUDE_DONALDSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2451
primaryGroupID=513
pwdLastSet=06:02.21 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=84f142cf-f1e4-4b00-9dd3-bb69f09ba1d9
whenChanged=06:02.21 PM, Wed 02/21/2024
whenCreated=09:54.19 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82023
uSNCreated=26350
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=BE-100-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=CH-327-distlist1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=NA-wer-admingroup1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=GE-art-distlist1,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
154100x800000000000000042795Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:21.093{501DA29B-3AAD-65D6-8002-000000004903}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
4688201331200x8020000000000000426611Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x122cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000426610Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000426609Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
154100x800000000000000044944Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:20.548{0b642d80-3aac-65d6-c402-00000000be02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
410615103150x0708566Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708565Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708564Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local75e0a0c6-9b02-4980-9f6e-cbf3993dda772b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708563Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module
Import-Module ActiveDirectory
# Define the new password - ensure to follow your organization's password policy
$newPassword = ConvertTo-SecureString "NewP@ssw0rd123!" -AsPlainText -Force
# Get 20 random user accounts
$randomUsers = Get-ADUser -Filter * -Properties PasswordLastSet | Get-Random -Count 20
# Loop through each user and update the password
foreach ($user in $randomUsers) {
try {
Set-ADAccountPassword $user.SamAccountName -NewPassword $newPassword -Reset
Write-Host "Password updated for user: $($user.SamAccountName)"
} catch {
Write-Host "Failed to update password for user: $($user.SamAccountName)"
}
}
# Output the users whose passwords were updated
Write-Host "Updated passwords for the following users:"
$randomUsers | Select-Object SamAccountName
75e0a0c6-9b02-4980-9f6e-cbf3993dda77
410615103150x0708562Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4689001331300x8020000000000000276739Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x8a8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
4688201331200x8020000000000000276738Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8a8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000276737Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xf6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
154100x800000000000000042794Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:20.339{501DA29B-3AAC-65D6-7F02-000000004903}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
154100x800000000000000042793Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:19.667{501DA29B-3AAB-65D6-7E02-000000004903}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
4688201331200x8020000000000000276736Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000276735Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x13b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000276734Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
154100x800000000000000044943Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:19.875{0b642d80-3aab-65d6-c302-00000000be02}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
154100x800000000000000044942Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:19.123{0b642d80-3aab-65d6-c202-00000000be02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
4689001331300x8020000000000000426608Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x117cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
4688201331200x8020000000000000426607Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x117cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000426606Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfa0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
154100x800000000000000042792Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:18.916{501DA29B-3AAA-65D6-7D02-000000004903}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
154100x800000000000000042791Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 18:02:18.157{501DA29B-3AAA-65D6-7C02-000000004903}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
4688201331200x8020000000000000426605Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfa0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000426604Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
4688201331200x8020000000000000426603Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000276733Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
4688201331200x8020000000000000276732Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
154100x800000000000000044941Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:18.346{0b642d80-3aaa-65d6-c102-00000000be02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
4689001331300x8020000000000000276731Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
4688201331200x8020000000000000276730Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
154100x800000000000000044940Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:17.595{0b642d80-3aa9-65d6-c002-00000000be02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM
410515102150x0708561Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708560Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald7ce585c-c1aa-478c-9d65-1a77843ce4c92b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708559Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708558Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708557Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald7ce585c-c1aa-478c-9d65-1a77843ce4c92b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708556Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptd7ce585c-c1aa-478c-9d65-1a77843ce4c9
410615103150x0708555Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708554Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708553Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala0da7b12-fcd4-444e-a45d-14b3126ed3e72b535b4c-a403-4565-9d75-b1fc8c18a9ac
4724001382400x8020000000000000276729Securityar-win-dc.attackrange.localSTACIE_POOLEATTACKRANGEATTACKRANGE\STACIE_POOLEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276728Securityar-win-dc.attackrange.local-STACIE_POOLEATTACKRANGEATTACKRANGE\STACIE_POOLEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276727Securityar-win-dc.attackrange.localNICKOLAS_PITTSATTACKRANGEATTACKRANGE\NICKOLAS_PITTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276726Securityar-win-dc.attackrange.local-NICKOLAS_PITTSATTACKRANGEATTACKRANGE\NICKOLAS_PITTSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276725Securityar-win-dc.attackrange.localKIMBERLY_BURGESSATTACKRANGEATTACKRANGE\KIMBERLY_BURGESSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276724Securityar-win-dc.attackrange.local-KIMBERLY_BURGESSATTACKRANGEATTACKRANGE\KIMBERLY_BURGESSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276723Securityar-win-dc.attackrange.localGUILLERMO_STEPHENSATTACKRANGEATTACKRANGE\GUILLERMO_STEPHENSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276722Securityar-win-dc.attackrange.local-GUILLERMO_STEPHENSATTACKRANGEATTACKRANGE\GUILLERMO_STEPHENSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276721Securityar-win-dc.attackrange.localGINA_CAMPBELLATTACKRANGEATTACKRANGE\GINA_CAMPBELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276720Securityar-win-dc.attackrange.local-GINA_CAMPBELLATTACKRANGEATTACKRANGE\GINA_CAMPBELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276719Securityar-win-dc.attackrange.localCALVIN_MORINATTACKRANGEATTACKRANGE\CALVIN_MORINATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276718Securityar-win-dc.attackrange.local-CALVIN_MORINATTACKRANGEATTACKRANGE\CALVIN_MORINATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276717Securityar-win-dc.attackrange.localYOUNG_JOHNSONATTACKRANGEATTACKRANGE\YOUNG_JOHNSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276716Securityar-win-dc.attackrange.local-YOUNG_JOHNSONATTACKRANGEATTACKRANGE\YOUNG_JOHNSONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276715Securityar-win-dc.attackrange.localSTEFANIE_DOUGLASATTACKRANGEATTACKRANGE\STEFANIE_DOUGLASATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276714Securityar-win-dc.attackrange.local-STEFANIE_DOUGLASATTACKRANGEATTACKRANGE\STEFANIE_DOUGLASATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276713Securityar-win-dc.attackrange.localMARK_PARKSATTACKRANGEATTACKRANGE\MARK_PARKSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276712Securityar-win-dc.attackrange.local-MARK_PARKSATTACKRANGEATTACKRANGE\MARK_PARKSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276711Securityar-win-dc.attackrange.localWALDO_GATESATTACKRANGEATTACKRANGE\WALDO_GATESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276710Securityar-win-dc.attackrange.local-WALDO_GATESATTACKRANGEATTACKRANGE\WALDO_GATESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276709Securityar-win-dc.attackrange.local6893486226SAATTACKRANGEATTACKRANGE\6893486226SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276708Securityar-win-dc.attackrange.local-6893486226SAATTACKRANGEATTACKRANGE\6893486226SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276707Securityar-win-dc.attackrange.localMARISA_GARCIAATTACKRANGEATTACKRANGE\MARISA_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276706Securityar-win-dc.attackrange.local-MARISA_GARCIAATTACKRANGEATTACKRANGE\MARISA_GARCIAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276705Securityar-win-dc.attackrange.localISRAEL_CALLAHANATTACKRANGEATTACKRANGE\ISRAEL_CALLAHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276704Securityar-win-dc.attackrange.local-ISRAEL_CALLAHANATTACKRANGEATTACKRANGE\ISRAEL_CALLAHANATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276703Securityar-win-dc.attackrange.localWILBUR_MCGUIREATTACKRANGEATTACKRANGE\WILBUR_MCGUIREATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276702Securityar-win-dc.attackrange.local-WILBUR_MCGUIREATTACKRANGEATTACKRANGE\WILBUR_MCGUIREATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276701Securityar-win-dc.attackrange.localLOU_STAFFORDATTACKRANGEATTACKRANGE\LOU_STAFFORDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276700Securityar-win-dc.attackrange.local-LOU_STAFFORDATTACKRANGEATTACKRANGE\LOU_STAFFORDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276699Securityar-win-dc.attackrange.localKIP_HEATHATTACKRANGEATTACKRANGE\KIP_HEATHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276698Securityar-win-dc.attackrange.local-KIP_HEATHATTACKRANGEATTACKRANGE\KIP_HEATHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276697Securityar-win-dc.attackrange.localEMILIA_HILLATTACKRANGEATTACKRANGE\EMILIA_HILLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276696Securityar-win-dc.attackrange.local-EMILIA_HILLATTACKRANGEATTACKRANGE\EMILIA_HILLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276695Securityar-win-dc.attackrange.localKATHRINE_COLLIERATTACKRANGEATTACKRANGE\KATHRINE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276694Securityar-win-dc.attackrange.local-KATHRINE_COLLIERATTACKRANGEATTACKRANGE\KATHRINE_COLLIERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276693Securityar-win-dc.attackrange.localKAREEM_MCGEEATTACKRANGEATTACKRANGE\KAREEM_MCGEEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276692Securityar-win-dc.attackrange.local-KAREEM_MCGEEATTACKRANGEATTACKRANGE\KAREEM_MCGEEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:16 PM---------
4724001382400x8020000000000000276691Securityar-win-dc.attackrange.localBARBARA_ONEALATTACKRANGEATTACKRANGE\BARBARA_ONEALATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1
4738001382400x8020000000000000276690Securityar-win-dc.attackrange.local-BARBARA_ONEALATTACKRANGEATTACKRANGE\BARBARA_ONEALATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1---------2/21/2024 6:02:15 PM---------
02/21/2024 18:02:16.497
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=STACIE_POOLE@attackrange.local
name=STACIE_POOLE
displayName=STACIE_POOLE
distinguishedName=CN=STACIE_POOLE,OU=FIN,OU=Tier 2,DC=attackrange,DC=local
sn=STACIE_POOLE
cn=STACIE_POOLE
Object Details:
sAMAccountType=805306368
sAMAccountName=STACIE_POOLE
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3287
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=49056208-8f06-465a-b338-3fc8bb3c09a8
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:57.08 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82021
uSNCreated=32223
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=ED-LEE-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=MA-ama-admingroup1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.592
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=STACIE_POOLE@attackrange.local
name=STACIE_POOLE
displayName=STACIE_POOLE
distinguishedName=CN=STACIE_POOLE,OU=FIN,OU=Tier 2,DC=attackrange,DC=local
sn=STACIE_POOLE
cn=STACIE_POOLE
Object Details:
sAMAccountType=805306368
sAMAccountName=STACIE_POOLE
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3287
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=49056208-8f06-465a-b338-3fc8bb3c09a8
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:57.08 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82021
uSNCreated=32223
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=ED-LEE-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=MA-ama-admingroup1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.480
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=NICKOLAS_PITTS@attackrange.local
name=NICKOLAS_PITTS
displayName=NICKOLAS_PITTS
distinguishedName=CN=NICKOLAS_PITTS,OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local
sn=NICKOLAS_PITTS
cn=NICKOLAS_PITTS
Object Details:
sAMAccountType=805306368
sAMAccountName=NICKOLAS_PITTS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1135
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=4d724e00-701c-44f3-8ebe-e32290b2736f
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:49.13 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82019
uSNCreated=17101
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=JA-628-distlist1,OU=Groups,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=AL-MIRAQUEER-distlist1,OU=Groups,OU=AWS,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.576
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=NICKOLAS_PITTS@attackrange.local
name=NICKOLAS_PITTS
displayName=NICKOLAS_PITTS
distinguishedName=CN=NICKOLAS_PITTS,OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local
sn=NICKOLAS_PITTS
cn=NICKOLAS_PITTS
Object Details:
sAMAccountType=805306368
sAMAccountName=NICKOLAS_PITTS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1135
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=4d724e00-701c-44f3-8ebe-e32290b2736f
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:49.13 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82019
uSNCreated=17101
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=JA-628-distlist1,OU=Groups,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=AL-MIRAQUEER-distlist1,OU=Groups,OU=AWS,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.449
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KIMBERLY_BURGESS@attackrange.local
name=KIMBERLY_BURGESS
displayName=KIMBERLY_BURGESS
distinguishedName=CN=KIMBERLY_BURGESS,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local
sn=KIMBERLY_BURGESS
cn=KIMBERLY_BURGESS
Object Details:
sAMAccountType=805306368
sAMAccountName=KIMBERLY_BURGESS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1870
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b4b2ce73-35f6-4191-8140-efcddc5758b9
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:52.08 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82017
uSNCreated=22270
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=EU-teamomama-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=ES-superbato-distlist1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.545
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KIMBERLY_BURGESS@attackrange.local
name=KIMBERLY_BURGESS
displayName=KIMBERLY_BURGESS
distinguishedName=CN=KIMBERLY_BURGESS,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local
sn=KIMBERLY_BURGESS
cn=KIMBERLY_BURGESS
Object Details:
sAMAccountType=805306368
sAMAccountName=KIMBERLY_BURGESS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1870
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b4b2ce73-35f6-4191-8140-efcddc5758b9
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:52.08 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82017
uSNCreated=22270
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=EU-teamomama-distlist1,OU=.SecFrame.com,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=ES-superbato-distlist1,OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ana-admingroup1,OU=FIN,OU=People,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.417
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GUILLERMO_STEPHENS@attackrange.local
name=GUILLERMO_STEPHENS
displayName=GUILLERMO_STEPHENS
distinguishedName=CN=GUILLERMO_STEPHENS,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local
sn=GUILLERMO_STEPHENS
cn=GUILLERMO_STEPHENS
Object Details:
sAMAccountType=805306368
sAMAccountName=GUILLERMO_STEPHENS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2271
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=bb0d9b35-cf36-4f98-8f70-e76468f64443
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:53.40 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82015
uSNCreated=25086
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=CH-302-distlist1,OU=ServiceAccounts,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=HU-tomy1703.-distlist1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=BR-sdf-distlist1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=LO-teamolili-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=LI-azu-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.513
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GUILLERMO_STEPHENS@attackrange.local
name=GUILLERMO_STEPHENS
displayName=GUILLERMO_STEPHENS
distinguishedName=CN=GUILLERMO_STEPHENS,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local
sn=GUILLERMO_STEPHENS
cn=GUILLERMO_STEPHENS
Object Details:
sAMAccountType=805306368
sAMAccountName=GUILLERMO_STEPHENS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2271
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=bb0d9b35-cf36-4f98-8f70-e76468f64443
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:53.40 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82015
uSNCreated=25086
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=CH-302-distlist1,OU=ServiceAccounts,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=HU-tomy1703.-distlist1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=BR-sdf-distlist1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=LO-teamolili-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=LA-lui-distlist1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=LI-azu-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.386
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GINA_CAMPBELL@attackrange.local
name=GINA_CAMPBELL
displayName=GINA_CAMPBELL
distinguishedName=CN=GINA_CAMPBELL,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local
sn=GINA_CAMPBELL
cn=GINA_CAMPBELL
Object Details:
sAMAccountType=805306368
sAMAccountName=GINA_CAMPBELL
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1635
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=0b8d0268-f529-4383-b8c7-544842d47b1c
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:51.17 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82013
uSNCreated=20615
instanceType=4
Additional Details:
dSCorePropagationData=20240220220330.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.482
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=GINA_CAMPBELL@attackrange.local
name=GINA_CAMPBELL
displayName=GINA_CAMPBELL
distinguishedName=CN=GINA_CAMPBELL,OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local
sn=GINA_CAMPBELL
cn=GINA_CAMPBELL
Object Details:
sAMAccountType=805306368
sAMAccountName=GINA_CAMPBELL
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1635
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=0b8d0268-f529-4383-b8c7-544842d47b1c
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:51.17 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82013
uSNCreated=20615
instanceType=4
Additional Details:
dSCorePropagationData=20240220220330.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.355
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=CALVIN_MORIN@attackrange.local
name=CALVIN_MORIN
displayName=CALVIN_MORIN
distinguishedName=CN=CALVIN_MORIN,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local
sn=CALVIN_MORIN
cn=CALVIN_MORIN
Object Details:
sAMAccountType=805306368
sAMAccountName=CALVIN_MORIN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1388
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=e0ab0132-879c-4ea7-8be7-67de81a40643
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:50.17 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82011
uSNCreated=18879
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.451
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=CALVIN_MORIN@attackrange.local
name=CALVIN_MORIN
displayName=CALVIN_MORIN
distinguishedName=CN=CALVIN_MORIN,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local
sn=CALVIN_MORIN
cn=CALVIN_MORIN
Object Details:
sAMAccountType=805306368
sAMAccountName=CALVIN_MORIN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1388
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=e0ab0132-879c-4ea7-8be7-67de81a40643
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:50.17 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82011
uSNCreated=18879
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.324
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=YOUNG_JOHNSON@attackrange.local
name=YOUNG_JOHNSON
displayName=YOUNG_JOHNSON
distinguishedName=CN=YOUNG_JOHNSON,OU=Devices,OU=HRE,OU=Tier 1,DC=attackrange,DC=local
sn=YOUNG_JOHNSON
cn=YOUNG_JOHNSON
Object Details:
sAMAccountType=805306368
sAMAccountName=YOUNG_JOHNSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1558
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=3b0f6c2d-0277-444c-b25d-08d3a684e3b7
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:50.59 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82009
uSNCreated=20074
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=CA-NOC-distlist1,OU=T1-Accounts,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ulises870-distlist1,OU=Test,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=JE-Morritos7-distlist1,OU=Devices,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=AL-ollin9090-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.420
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=YOUNG_JOHNSON@attackrange.local
name=YOUNG_JOHNSON
displayName=YOUNG_JOHNSON
distinguishedName=CN=YOUNG_JOHNSON,OU=Devices,OU=HRE,OU=Tier 1,DC=attackrange,DC=local
sn=YOUNG_JOHNSON
cn=YOUNG_JOHNSON
Object Details:
sAMAccountType=805306368
sAMAccountName=YOUNG_JOHNSON
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1558
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=3b0f6c2d-0277-444c-b25d-08d3a684e3b7
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:50.59 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82009
uSNCreated=20074
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=CA-NOC-distlist1,OU=T1-Accounts,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ME-666-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=AL-cal-distlist1,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=TA-ulises870-distlist1,OU=Test,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ES-mortadela-admingroup1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=JE-Morritos7-distlist1,OU=Devices,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=AL-ollin9090-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.292
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=STEFANIE_DOUGLAS@attackrange.local
name=STEFANIE_DOUGLAS
displayName=STEFANIE_DOUGLAS
distinguishedName=CN=STEFANIE_DOUGLAS,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local
sn=STEFANIE_DOUGLAS
cn=STEFANIE_DOUGLAS
Object Details:
sAMAccountType=805306368
sAMAccountName=STEFANIE_DOUGLAS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2871
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=dec519ea-a70c-4640-b1ae-a186f898bb11
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:55.47 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82007
uSNCreated=29302
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=RA-magdalena-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=MA-920-distlist1,OU=Deprovisioned,OU=People,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=DO-dre-admingroup1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.388
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=STEFANIE_DOUGLAS@attackrange.local
name=STEFANIE_DOUGLAS
displayName=STEFANIE_DOUGLAS
distinguishedName=CN=STEFANIE_DOUGLAS,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local
sn=STEFANIE_DOUGLAS
cn=STEFANIE_DOUGLAS
Object Details:
sAMAccountType=805306368
sAMAccountName=STEFANIE_DOUGLAS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2871
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=dec519ea-a70c-4640-b1ae-a186f898bb11
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:55.47 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82007
uSNCreated=29302
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=RA-magdalena-distlist1,OU=Groups,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=MA-920-distlist1,OU=Deprovisioned,OU=People,DC=attackrange,DC=local|CN=MA-pri-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=DO-dre-admingroup1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=ER-supermoni-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.277
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARK_PARKS@attackrange.local
name=MARK_PARKS
displayName=MARK_PARKS
distinguishedName=CN=MARK_PARKS,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local
sn=MARK_PARKS
cn=MARK_PARKS
Object Details:
sAMAccountType=805306368
sAMAccountName=MARK_PARKS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1875
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=3db831f5-ec52-40a0-9c66-da72db2878b2
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:52.10 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82005
uSNCreated=22305
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=TO-hakim2002-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=DU-319-admingroup1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=IS-cynthia69-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=VI-AVMM94042-distlist1,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=KI-missaelga-distlist1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=HA-leu-admingroup1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.373
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARK_PARKS@attackrange.local
name=MARK_PARKS
displayName=MARK_PARKS
distinguishedName=CN=MARK_PARKS,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local
sn=MARK_PARKS
cn=MARK_PARKS
Object Details:
sAMAccountType=805306368
sAMAccountName=MARK_PARKS
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1875
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=3db831f5-ec52-40a0-9c66-da72db2878b2
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:52.10 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82005
uSNCreated=22305
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=TO-hakim2002-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=AR-917828522-distlist1,OU=AZR,OU=People,DC=attackrange,DC=local|CN=DU-319-admingroup1,OU=Groups,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=BE-mas-distlist1,OU=Test,OU=FSR,OU=Tier 2,DC=attackrange,DC=local|CN=IS-cynthia69-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JU-leo-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=VI-AVMM94042-distlist1,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=KI-missaelga-distlist1,OU=Test,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=ZE-con-admingroup1,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=HA-leu-admingroup1,OU=ServiceAccounts,OU=BDE,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.245
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=WALDO_GATES@attackrange.local
name=WALDO_GATES
displayName=WALDO_GATES
distinguishedName=CN=WALDO_GATES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local
sn=WALDO_GATES
cn=WALDO_GATES
Object Details:
sAMAccountType=805306368
sAMAccountName=WALDO_GATES
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1127
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=3c67f55f-cceb-43a5-9858-0af398746e19
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:49.11 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82003
uSNCreated=17045
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z
servicePrincipalName=MSSQL/HREWVIR1000000
managedObjects=CN=WA-con-distlist1,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.342
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=WALDO_GATES@attackrange.local
name=WALDO_GATES
displayName=WALDO_GATES
distinguishedName=CN=WALDO_GATES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local
sn=WALDO_GATES
cn=WALDO_GATES
Object Details:
sAMAccountType=805306368
sAMAccountName=WALDO_GATES
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1127
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=3c67f55f-cceb-43a5-9858-0af398746e19
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:49.11 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82003
uSNCreated=17045
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z
servicePrincipalName=MSSQL/HREWVIR1000000
managedObjects=CN=WA-con-distlist1,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.214
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=6893486226SA@attackrange.local
name=6893486226SA
displayName=6893486226SA
distinguishedName=CN=6893486226SA,OU=GOO,OU=Stage,DC=attackrange,DC=local
sn=6893486226SA
cn=6893486226SA
Object Details:
sAMAccountType=805306368
sAMAccountName=6893486226SA
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2883
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=2b3c077d-c276-4b2d-ba87-13d05565ac25
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:55.49 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82001
uSNCreated=29386
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.310
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=6893486226SA@attackrange.local
name=6893486226SA
displayName=6893486226SA
distinguishedName=CN=6893486226SA,OU=GOO,OU=Stage,DC=attackrange,DC=local
sn=6893486226SA
cn=6893486226SA
Object Details:
sAMAccountType=805306368
sAMAccountName=6893486226SA
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2883
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=2b3c077d-c276-4b2d-ba87-13d05565ac25
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:55.49 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=82001
uSNCreated=29386
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.183
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARISA_GARCIA@attackrange.local
name=MARISA_GARCIA
displayName=MARISA_GARCIA
distinguishedName=CN=MARISA_GARCIA,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local
sn=MARISA_GARCIA
cn=MARISA_GARCIA
Object Details:
sAMAccountType=805306368
sAMAccountName=MARISA_GARCIA
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2532
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=da944fda-22b6-4d41-a134-a0d763cd5c74
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:54.36 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81999
uSNCreated=26921
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010101181633.0Z
memberOf=CN=ER-181-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=RU-031993tra-distlist1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-181019999-distlist1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.279
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=MARISA_GARCIA@attackrange.local
name=MARISA_GARCIA
displayName=MARISA_GARCIA
distinguishedName=CN=MARISA_GARCIA,OU=T2-Roles,OU=Tier 2,OU=Admin,DC=attackrange,DC=local
sn=MARISA_GARCIA
cn=MARISA_GARCIA
Object Details:
sAMAccountType=805306368
sAMAccountName=MARISA_GARCIA
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2532
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=da944fda-22b6-4d41-a134-a0d763cd5c74
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:54.36 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81999
uSNCreated=26921
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010101181633.0Z
memberOf=CN=ER-181-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=RU-031993tra-distlist1,OU=FIN,OU=People,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HI-181019999-distlist1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.152
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=ISRAEL_CALLAHAN@attackrange.local
name=ISRAEL_CALLAHAN
displayName=ISRAEL_CALLAHAN
distinguishedName=CN=ISRAEL_CALLAHAN,OU=FSR,OU=Tier 2,DC=attackrange,DC=local
sn=ISRAEL_CALLAHAN
cn=ISRAEL_CALLAHAN
Object Details:
sAMAccountType=805306368
sAMAccountName=ISRAEL_CALLAHAN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2747
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=1dac600a-2bcd-42b1-8510-221f9d132e27
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:55.20 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81997
uSNCreated=28427
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.248
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=ISRAEL_CALLAHAN@attackrange.local
name=ISRAEL_CALLAHAN
displayName=ISRAEL_CALLAHAN
distinguishedName=CN=ISRAEL_CALLAHAN,OU=FSR,OU=Tier 2,DC=attackrange,DC=local
sn=ISRAEL_CALLAHAN
cn=ISRAEL_CALLAHAN
Object Details:
sAMAccountType=805306368
sAMAccountName=ISRAEL_CALLAHAN
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2747
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=1dac600a-2bcd-42b1-8510-221f9d132e27
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:55.20 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81997
uSNCreated=28427
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.217
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=WILBUR_MCGUIRE@attackrange.local
name=WILBUR_MCGUIRE
displayName=WILBUR_MCGUIRE
distinguishedName=CN=WILBUR_MCGUIRE,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local
sn=WILBUR_MCGUIRE
cn=WILBUR_MCGUIRE
Object Details:
sAMAccountType=805306368
sAMAccountName=WILBUR_MCGUIRE
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2270
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=72d9c334-5ab9-4cae-8fe5-d1a9b171d167
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:53.39 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81995
uSNCreated=25079
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z
memberOf=CN=AN-mil-admingroup1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Esp-distlist1,OU=OGC,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.170
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=LOU_STAFFORD@attackrange.local
name=LOU_STAFFORD
displayName=LOU_STAFFORD
distinguishedName=CN=LOU_STAFFORD,OU=People,DC=attackrange,DC=local
sn=LOU_STAFFORD
cn=LOU_STAFFORD
Object Details:
sAMAccountType=805306368
sAMAccountName=LOU_STAFFORD
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2026
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=ad47e264-096c-47c6-8f37-5da952bacc33
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:52.45 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81993
uSNCreated=23365
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=FA-Demons786-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.138
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KIP_HEATH@attackrange.local
name=KIP_HEATH
displayName=KIP_HEATH
distinguishedName=CN=KIP_HEATH,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
sn=KIP_HEATH
cn=KIP_HEATH
Object Details:
sAMAccountType=805306368
sAMAccountName=KIP_HEATH
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3157
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=e0e84ab2-41dc-486c-a428-c25880e4a394
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:56.43 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81991
uSNCreated=31310
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.107
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=EMILIA_HILL@attackrange.local
name=EMILIA_HILL
displayName=EMILIA_HILL
distinguishedName=CN=EMILIA_HILL,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local
sn=EMILIA_HILL
cn=EMILIA_HILL
Object Details:
sAMAccountType=805306368
sAMAccountName=EMILIA_HILL
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3254
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=f7a3d2f6-e17c-4ebc-8007-0d20a147b2ea
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:57.02 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81989
uSNCreated=31992
instanceType=4
Additional Details:
dSCorePropagationData=20240220220330.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
managedObjects=CN=EM-spi-distlist1,OU=OGC,OU=People,DC=attackrange,DC=local
memberOf=CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ED-fulanitaa-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RE-chulaherm-distlist1,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=TA-bab-distlist1,OU=Devices,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=41-romera3ma-distlist1,OU=ESM,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.076
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KATHRINE_COLLIER@attackrange.local
name=KATHRINE_COLLIER
displayName=KATHRINE_COLLIER
distinguishedName=CN=KATHRINE_COLLIER,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local
sn=KATHRINE_COLLIER
cn=KATHRINE_COLLIER
Object Details:
sAMAccountType=805306368
sAMAccountName=KATHRINE_COLLIER
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1404
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b9db0071-5175-479a-a3f7-86067d793c2f
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:50.21 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81987
uSNCreated=18992
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HA-helpless2-distlist1,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=DE-100-admingroup1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=AU-333-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=EA-ferdhinan-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=ED-1305arthu-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.045
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KAREEM_MCGEE@attackrange.local
name=KAREEM_MCGEE
displayName=KAREEM_MCGEE
distinguishedName=CN=KAREEM_MCGEE,OU=Test,OU=FIN,OU=Tier 2,DC=attackrange,DC=local
sn=KAREEM_MCGEE
cn=KAREEM_MCGEE
Object Details:
sAMAccountType=805306368
sAMAccountName=KAREEM_MCGEE
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2412
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=4fd8f8fa-6608-46d3-8007-6dfa5a626035
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:54.10 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81985
uSNCreated=26076
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=KE-nic-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=54-hap-distlist1,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.120
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=WILBUR_MCGUIRE@attackrange.local
name=WILBUR_MCGUIRE
displayName=WILBUR_MCGUIRE
distinguishedName=CN=WILBUR_MCGUIRE,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local
sn=WILBUR_MCGUIRE
cn=WILBUR_MCGUIRE
Object Details:
sAMAccountType=805306368
sAMAccountName=WILBUR_MCGUIRE
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2270
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=72d9c334-5ab9-4cae-8fe5-d1a9b171d167
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:53.39 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81995
uSNCreated=25079
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z
memberOf=CN=AN-mil-admingroup1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Esp-distlist1,OU=OGC,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.074
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=LOU_STAFFORD@attackrange.local
name=LOU_STAFFORD
displayName=LOU_STAFFORD
distinguishedName=CN=LOU_STAFFORD,OU=People,DC=attackrange,DC=local
sn=LOU_STAFFORD
cn=LOU_STAFFORD
Object Details:
sAMAccountType=805306368
sAMAccountName=LOU_STAFFORD
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2026
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=ad47e264-096c-47c6-8f37-5da952bacc33
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:52.45 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81993
uSNCreated=23365
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=FA-Demons786-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.039
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KIP_HEATH@attackrange.local
name=KIP_HEATH
displayName=KIP_HEATH
distinguishedName=CN=KIP_HEATH,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local
sn=KIP_HEATH
cn=KIP_HEATH
Object Details:
sAMAccountType=805306368
sAMAccountName=KIP_HEATH
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3157
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=e0e84ab2-41dc-486c-a428-c25880e4a394
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:56.43 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81991
uSNCreated=31310
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
description=Created with secframe.com/badblood.
02/21/2024 18:02:16.007
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=EMILIA_HILL@attackrange.local
name=EMILIA_HILL
displayName=EMILIA_HILL
distinguishedName=CN=EMILIA_HILL,OU=Test,OU=SEC,OU=Tier 1,DC=attackrange,DC=local
sn=EMILIA_HILL
cn=EMILIA_HILL
Object Details:
sAMAccountType=805306368
sAMAccountName=EMILIA_HILL
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3254
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=f7a3d2f6-e17c-4ebc-8007-0d20a147b2ea
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:57.02 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81989
uSNCreated=31992
instanceType=4
Additional Details:
dSCorePropagationData=20240220220330.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
managedObjects=CN=EM-spi-distlist1,OU=OGC,OU=People,DC=attackrange,DC=local
memberOf=CN=RA-joa-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local|CN=ED-fulanitaa-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RE-chulaherm-distlist1,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=TA-bab-distlist1,OU=Devices,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=41-romera3ma-distlist1,OU=ESM,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:15.998
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=BARBARA_ONEAL@attackrange.local
name=BARBARA_ONEAL
displayName=BARBARA_ONEAL
distinguishedName=CN=BARBARA_ONEAL,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local
sn=BARBARA_ONEAL
cn=BARBARA_ONEAL
Object Details:
sAMAccountType=805306368
sAMAccountName=BARBARA_ONEAL
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3399
primaryGroupID=513
pwdLastSet=06:02.15 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=4f17d706-a5e1-4e06-910e-b96309c6680a
whenChanged=06:02.15 PM, Wed 02/21/2024
whenCreated=09:57.31 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81983
uSNCreated=33013
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z
memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=MA-aud-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=EM-bon-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=GR-ascarothh-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=FL-bet-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=CO-adi-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=WI-ascarothh-admingroup1,OU=.SecFrame.com,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:15.975
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KATHRINE_COLLIER@attackrange.local
name=KATHRINE_COLLIER
displayName=KATHRINE_COLLIER
distinguishedName=CN=KATHRINE_COLLIER,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local
sn=KATHRINE_COLLIER
cn=KATHRINE_COLLIER
Object Details:
sAMAccountType=805306368
sAMAccountName=KATHRINE_COLLIER
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-1404
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=b9db0071-5175-479a-a3f7-86067d793c2f
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:50.21 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81987
uSNCreated=18992
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z
memberOf=CN=ES-ian200208-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=HA-helpless2-distlist1,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=DE-100-admingroup1,OU=Test,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=AU-333-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=EA-ferdhinan-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=ED-1305arthu-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:15.941
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=KAREEM_MCGEE@attackrange.local
name=KAREEM_MCGEE
displayName=KAREEM_MCGEE
distinguishedName=CN=KAREEM_MCGEE,OU=Test,OU=FIN,OU=Tier 2,DC=attackrange,DC=local
sn=KAREEM_MCGEE
cn=KAREEM_MCGEE
Object Details:
sAMAccountType=805306368
sAMAccountName=KAREEM_MCGEE
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-2412
primaryGroupID=513
pwdLastSet=06:02.16 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4194816
objectGUID=4fd8f8fa-6608-46d3-8007-6dfa5a626035
whenChanged=06:02.16 PM, Wed 02/21/2024
whenCreated=09:54.10 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81985
uSNCreated=26076
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z
memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=KE-nic-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=54-hap-distlist1,OU=Devices,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Amorcito1-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
02/21/2024 18:02:15.899
dcName=ar-win-dc.attackrange.local
admonEventType=Update
Names:
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local
userPrincipalName=BARBARA_ONEAL@attackrange.local
name=BARBARA_ONEAL
displayName=BARBARA_ONEAL
distinguishedName=CN=BARBARA_ONEAL,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local
sn=BARBARA_ONEAL
cn=BARBARA_ONEAL
Object Details:
sAMAccountType=805306368
sAMAccountName=BARBARA_ONEAL
logonCount=0
accountExpires=Never Expires
objectSid=S-1-5-21-2851375338-1978525053-2422663219-3399
primaryGroupID=513
pwdLastSet=06:02.15 PM, Wed 02/21/2024
lastLogon=0
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=512
objectGUID=4f17d706-a5e1-4e06-910e-b96309c6680a
whenChanged=06:02.15 PM, Wed 02/21/2024
whenCreated=09:57.31 PM, Tue 02/20/2024
objectClass=top|person|organizationalPerson|user
Event Details:
uSNChanged=81983
uSNCreated=33013
instanceType=4
Additional Details:
dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z
memberOf=CN=EL-pro-admingroup1,OU=Test,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=MA-aud-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=EM-bon-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=GR-ascarothh-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=FL-bet-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-boudabbou-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=TR-ber-admingroup1,OU=People,DC=attackrange,DC=local|CN=CO-adi-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=WI-ascarothh-admingroup1,OU=.SecFrame.com,DC=attackrange,DC=local
description=Created with secframe.com/badblood.
410615103150x0708552Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb86417a5-519a-454b-8bb2-474a34b499e22b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708551Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb86417a5-519a-454b-8bb2-474a34b499e22b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708550Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708549Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708548Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala0da7b12-fcd4-444e-a45d-14b3126ed3e72b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708547Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module
Import-Module ActiveDirectory
# Define the new password - ensure to follow your organization's password policy
$newPassword = ConvertTo-SecureString "NewP@ssw0rd123!" -AsPlainText -Force
# Get 20 random user accounts
$randomUsers = Get-ADUser -Filter * -Properties PasswordLastSet | Get-Random -Count 20
# Loop through each user and update the password
foreach ($user in $randomUsers) {
try {
Set-ADAccountPassword $user.SamAccountName -NewPassword $newPassword -Reset
Write-Host "Password updated for user: $($user.SamAccountName)"
} catch {
Write-Host "Failed to update password for user: $($user.SamAccountName)"
}
}
# Output the users whose passwords were updated
Write-Host "Updated passwords for the following users:"
$randomUsers | Select-Object SamAccountName
a0da7b12-fcd4-444e-a45d-14b3126ed3e7
410615103150x0708546Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4673001305700x8010000000000000276689Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe
22542200x800000000000000044939Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:02.562{0b642d80-3a98-65d6-ba02-00000000be02}336ar-win-dc.attackrange.local0fe80::2c4d:3504:6979:e6f2;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administrator
410515102150x0708545Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708544Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb35af235-aed1-4958-908c-e136d6572af22b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708543Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708542Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708541Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb35af235-aed1-4958-908c-e136d6572af22b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708540Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptb35af235-aed1-4958-908c-e136d6572af2
410615103150x0708539Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708538Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708537Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8f357141-a5bd-4c62-99a7-8d69718ba3df2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4627001255400x8020000000000000276688Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1cf2a4311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2851375338-1978525053-2422663219-4094}
ATTACKRANGE\Domain Controllers
%{S-1-5-21-2851375338-1978525053-2422663219-4031}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000276687Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x1cf2a43KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::156870%%1833---%%18430x0%%1842
4672001254800x8020000000000000276686Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1cf2a4SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
410615103150x0708536Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708535Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708534Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8f357141-a5bd-4c62-99a7-8d69718ba3df2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708533Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11Import-Module ActiveDirectory8f357141-a5bd-4c62-99a7-8d69718ba3df
410615103150x0708532Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708531Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708530Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
4689001331300x8020000000000000276685Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00x18ccC:\Windows\System32\HOSTNAME.EXE
4688201331200x8020000000000000276684Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x18ccC:\Windows\System32\HOSTNAME.EXE%%19360x150"C:\Windows\system32\HOSTNAME.EXE"NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level
4689001331300x8020000000000000276683Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00x570C:\Windows\System32\HOSTNAME.EXE
4673001305700x8020000000000000276682Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1Security-SeCreateGlobalPrivilege0x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4688201331200x8020000000000000276681Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x570C:\Windows\System32\HOSTNAME.EXE%%19360x150"C:\Windows\system32\HOSTNAME.EXE"NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level
4689001331300x8020000000000000276680Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00xce4C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
4689001331300x8020000000000000276679Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x00x434C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
4688201331200x8020000000000000276678Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x434C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe%%19360xce4C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2440.tmp" "c:\Users\Administrator\AppData\Local\Temp\en5zbq4l\CSCBC71219778BF4721BF35A33BDC6E09B.TMP"NULL SID--0x0C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeMandatory Label\High Mandatory Level
4688201331200x8020000000000000276677Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10xce4C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe%%19360x150"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline"NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level
154100x800000000000000044938Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.627{0b642d80-3a99-65d6-bf02-00000000be02}6348C:\Windows\System32\HOSTNAME.EXE10.0.17763.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=7F95220A65A5A5D4A98873E86EF2E549,SHA256=1BFF2907C456F99277F45F9B2A21B1B3F11F6C01587D9E6D6F0B2B5F1472FE92,IMPHASH=5CD891320C666621E9783444DB8CBA78{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator
154100x800000000000000044937Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.499{0b642d80-3a99-65d6-be02-00000000be02}1392C:\Windows\System32\HOSTNAME.EXE10.0.17763.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=7F95220A65A5A5D4A98873E86EF2E549,SHA256=1BFF2907C456F99277F45F9B2A21B1B3F11F6C01587D9E6D6F0B2B5F1472FE92,IMPHASH=5CD891320C666621E9783444DB8CBA78{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator
11241100x800000000000000044936Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localDLL2024-02-21 18:02:01.379{0b642d80-3a99-65d6-bc02-00000000be02}3300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.dll2024-02-21 18:02:01.222ATTACKRANGE\Administrator
154100x800000000000000044935Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.367{0b642d80-3a99-65d6-bd02-00000000be02}1076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2440.tmp" "c:\Users\Administrator\AppData\Local\Temp\en5zbq4l\CSCBC71219778BF4721BF35A33BDC6E09B.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{0b642d80-3a99-65d6-bc02-00000000be02}3300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline"ATTACKRANGE\Administrator
154100x800000000000000044934Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.234{0b642d80-3a99-65d6-bc02-00000000be02}3300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator
11241100x800000000000000044933Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:01.222{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.cmdline2024-02-21 18:02:01.222ATTACKRANGE\Administrator
11241100x800000000000000044932Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localDLL2024-02-21 18:02:01.222{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\en5zbq4l\en5zbq4l.dll2024-02-21 18:02:01.222ATTACKRANGE\Administrator
410515102150x0708529Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708528Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local48ba134f-9e64-4584-a732-197c05a617342b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708527Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708526Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708525Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local48ba134f-9e64-4584-a732-197c05a617342b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708524Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt48ba134f-9e64-4584-a732-197c05a61734
410615103150x0708523Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local1ff25d67-532c-4a41-9122-e42c72f7eb882b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708522Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6a19b68d-06ed-49fc-8aec-0f966f79484d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708521Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local3064d909-08ec-4728-a9aa-6617b06699762b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708520Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc451a5d3-da69-4afb-aaff-2f01dcd9deef2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708519Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc451a5d3-da69-4afb-aaff-2f01dcd9deef2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708518Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Write-PrereqResults ($FailureReasons, $testId) {
if ($FailureReasons.Count -eq 0) {
Write-KeyValue "Prerequisites met: " $testId
}
else {
Write-Host -ForegroundColor Red "Prerequisites not met: $testId"
foreach ($reason in $FailureReasons) {
Write-Host -ForegroundColor Yellow -NoNewline "`t[*] $reason"
}
Write-Host -ForegroundColor Yellow -NoNewline "`nTry installing prereq's with the "
Write-Host -ForegroundColor Cyan -NoNewline "-GetPrereqs"
Write-Host -ForegroundColor Yellow " switch"
}
}
c451a5d3-da69-4afb-aaff-2f01dcd9deefC:\AtomicRedTeam\invoke-atomicredteam\Private\Write-PrereqResults.ps1
410615103150x0708517Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3cf42e5-7ab8-41b4-9ae8-a9dd2055bc262b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708516Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3cf42e5-7ab8-41b4-9ae8-a9dd2055bc262b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708515Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Write-KeyValue ($key, $value) {
Write-Host -ForegroundColor Cyan -NoNewline $key
$split = $value -split "(#{[a-z-_A-Z]*})"
foreach ($s in $split) {
if ($s -match "(#{[a-z-_A-Z]*})") {
Write-Host -ForegroundColor Red -NoNewline $s
}
else {
Write-Host -ForegroundColor Green -NoNewline $s
}
}
Write-Host ""
}
a3cf42e5-7ab8-41b4-9ae8-a9dd2055bc26C:\AtomicRedTeam\invoke-atomicredteam\Private\Write-KeyValue.ps1
410615103150x0708514Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localaabbc059-fe19-4e1c-9f05-f4ba5db52b9b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708513Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localaabbc059-fe19-4e1c-9f05-f4ba5db52b9b2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708512Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-CleanupDescription() {
$ret1 = $test.description.ToString().trim() -replace '(?<!\n)\n(?!\n)', ' ' #replace single linefeeds with a space
$ret1 -replace '\n\n', "`n" #replace double linefeeds with a single linefeed
}
function Show-Details ($test, $testCount, $technique, $customInputArgs, $PathToAtomicsFolder) {
# Header info
$tName = $technique.display_name.ToString() + " " + $technique.attack_technique
Write-Host -ForegroundColor Magenta "[********BEGIN TEST*******]"
Write-KeyValue "Technique: " $tName
Write-KeyValue "Atomic Test Name: " $test.name.ToString()
Write-KeyValue "Atomic Test Number: " $testCount
if ($test.auto_generated_guid) { Write-KeyValue "Atomic Test GUID: " $test.auto_generated_guid }
Write-KeyValue "Description: " $(Invoke-CleanupDescription $test)
# Attack Commands
Write-Host -ForegroundColor Yellow "`nAttack Commands:"
$elevationRequired = $false
if ($nul -ne $test.executor.elevation_required ) { $elevationRequired = $test.executor.elevation_required }
$executor_name = $test.executor.name
Write-KeyValue "Executor: " $executor_name
Write-KeyValue "ElevationRequired: " $elevationRequired
$final_command = Merge-InputArgs $test.executor.command $test $customInputArgs $PathToAtomicsFolder
Write-KeyValue "Command:`n" $test.executor.command.trim()
if ($test.executor.command -ne $final_command) { Write-KeyValue "Command (with inputs):`n" $final_command.trim() }
# Cleanup Commands
if ($nul -ne $test.executor.cleanup_command) {
Write-Host -ForegroundColor Yellow "`nCleanup Commands:"
$final_command = Merge-InputArgs $test.executor.cleanup_command $test $customInputArgs $PathToAtomicsFolder
Write-KeyValue "Command:`n" $test.executor.cleanup_command.trim()
if ($test.executor.cleanup_command -ne $final_command) { Write-KeyValue "Command (with inputs):`n" $final_command.trim() }
}
# Dependencies
if ($nul -ne $test.dependencies) {
Write-Host -ForegroundColor Yellow "`nDependencies:"
foreach ($dep in $test.dependencies) {
$final_command_prereq = Merge-InputArgs $dep.prereq_command $test $customInputArgs $PathToAtomicsFolder
$final_command_get_prereq = Merge-InputArgs $dep.get_prereq_command $test $customInputArgs $PathToAtomicsFolder
$description = Merge-InputArgs $dep.description $test $customInputArgs $PathToAtomicsFolder
Write-KeyValue "Description: " $description.trim()
Write-KeyValue "Check Prereq Command:`n" $dep.prereq_command.trim()
if ( $dep.prereq_command -ne $final_command_prereq ) { Write-KeyValue "Check Prereq Command (with inputs):`n" $final_command_prereq.trim() }
Write-KeyValue "Get Prereq Command:`n" $dep.get_prereq_command.trim()
if ( $dep.get_prereq_command -ne $final_command_get_prereq ) { Write-KeyValue "Get Prereq Command (with inputs):`n" $final_command_get_prereq.trim() }
}
}
# Footer
Write-Host -ForegroundColor Magenta "[!!!!!!!!END TEST!!!!!!!]`n`n"
}
aabbc059-fe19-4e1c-9f05-f4ba5db52b9bC:\AtomicRedTeam\invoke-atomicredteam\Private\Show-Details.ps1
410615103150x0708511Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2cd43e16-936a-4876-9317-12bd8474ee282b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708510Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2cd43e16-936a-4876-9317-12bd8474ee282b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708509Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-InputArgs([hashtable]$ip, $customInputArgs, $PathToAtomicsFolder) {
$defaultArgs = @{ }
foreach ($key in $ip.Keys) {
$defaultArgs[$key] = $ip[$key].default
}
# overwrite defaults with any user supplied values
foreach ($key in $customInputArgs.Keys) {
if ($defaultArgs.Keys -contains $key) {
# replace default with user supplied
$defaultArgs.set_Item($key, $customInputArgs[$key])
}
else {
Write-Verbose "The specified input argument *$key* was ignored as not applicable"
}
}
$defaultArgs
}
function Merge-InputArgs($finalCommand, $test, $customInputArgs, $PathToAtomicsFolder) {
if (($null -ne $finalCommand) -and ($test.input_arguments.Count -gt 0)) {
Write-Verbose -Message 'Replacing inputArgs with user specified values, or default values if none provided'
$inputArgs = Get-InputArgs $test.input_arguments $customInputArgs $PathToAtomicsFolder
foreach ($key in $inputArgs.Keys) {
$findValue = '#{' + $key + '}'
$finalCommand = $finalCommand.Replace($findValue, $inputArgs[$key])
}
}
# Replace $PathToAtomicsFolder or PathToAtomicsFolder with the actual -PathToAtomicsFolder value
$finalCommand = ($finalCommand -replace "\`$PathToAtomicsFolder", $PathToAtomicsFolder) -replace "PathToAtomicsFolder", $PathToAtomicsFolder
$finalCommand
}
function Invoke-PromptForInputArgs([hashtable]$ip) {
$InputArgs = @{ }
foreach ($key in $ip.Keys) {
$InputArgs[$key] = $ip[$key].default
$newValue = Read-Host -Prompt "Enter a value for $key , or press enter to accept the default.`n$($ip[$key].description.trim()) [$($ip[$key].default.trim())]"
# replace default with user supplied
if (-not [string]::IsNullOrWhiteSpace($newValue)) {
$InputArgs.set_Item($key, $newValue)
}
}
$InputArgs
}
2cd43e16-936a-4876-9317-12bd8474ee28C:\AtomicRedTeam\invoke-atomicredteam\Private\Replace-InputArgs.ps1
410615103150x0708508Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local83ea041a-9015-437d-9af8-55e97acc04202b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708507Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local83ea041a-9015-437d-9af8-55e97acc04202b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708506Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# The Invoke-Process function is loosely based on code from https://github.com/guitarrapc/PowerShellUtil/blob/master/Invoke-Process/Invoke-Process.ps1
function Invoke-Process {
[OutputType([PSCustomObject])]
[CmdletBinding()]
param
(
[Parameter(Mandatory = $false, Position = 0)]
[string]$FileName = "PowerShell.exe",
[Parameter(Mandatory = $false, Position = 1)]
[string[]]$Arguments = "",
[Parameter(Mandatory = $false, Position = 3)]
[Int]$TimeoutSeconds = 120,
[Parameter(Mandatory = $false, Position = 4)]
[String]$stdoutFile = $null,
[Parameter(Mandatory = $false, Position = 5)]
[String]$stderrFile = $null
)
end {
$WorkingDirectory = if ($IsLinux -or $IsMacOS) { "/tmp" } else { $env:TEMP }
try {
# new Process
if ($stdoutFile) {
# new Process
$process = NewProcess -FileName $FileName -Arguments $Arguments -WorkingDirectory $WorkingDirectory
# Event Handler for Output
$stdSb = New-Object -TypeName System.Text.StringBuilder
$errorSb = New-Object -TypeName System.Text.StringBuilder
$scripBlock =
{
$x = $Event.SourceEventArgs.Data
if (-not [String]::IsNullOrEmpty($x)) {
$Event.MessageData.AppendLine($x)
}
}
$stdEvent = Register-ObjectEvent -InputObject $process -EventName OutputDataReceived -Action $scripBlock -MessageData $stdSb
$errorEvent = Register-ObjectEvent -InputObject $process -EventName ErrorDataReceived -Action $scripBlock -MessageData $errorSb
# execution
$process.Start() > $null
$process.BeginOutputReadLine()
$process.BeginErrorReadLine()
# wait for complete
$Timeout = [System.TimeSpan]::FromSeconds(($TimeoutSeconds))
$isTimeout = $false
if (-not $Process.WaitForExit($Timeout.TotalMilliseconds)) {
$isTimeout = $true
Invoke-KillProcessTree $process.id
Write-Host -ForegroundColor Red "Process Timed out after $TimeoutSeconds seconds, use '-TimeoutSeconds' to specify a different timeout"
}
$process.CancelOutputRead()
$process.CancelErrorRead()
# Unregister Event to recieve Asynchronous Event output (should be called before process.Dispose())
Unregister-Event -SourceIdentifier $stdEvent.Name
Unregister-Event -SourceIdentifier $errorEvent.Name
$stdOutString = $stdSb.ToString().Trim()
if ($stdOutString.Length -gt 0) {
Write-Host $stdOutString
}
$stdErrString = $errorSb.ToString().Trim()
if ($stdErrString.Length -gt 0) {
Write-Host $stdErrString
}
# Get Process result
return GetCommandResult -Process $process -StandardStringBuilder $stdSb -ErrorStringBuilder $errorSb -IsTimeOut $isTimeout
}
else {
# This is the enitrety of the "old style" code, kept for interactive tests
$process = Start-Process -FilePath $FileName -ArgumentList $Arguments -WorkingDirectory $WorkingDirectory -NoNewWindow -PassThru
# cache process.Handle, otherwise ExitCode is null from powershell processes
$handle = $process.Handle
# wait for complete
$Timeout = [System.TimeSpan]::FromSeconds(($TimeoutSeconds))
if (-not $process.WaitForExit($Timeout.TotalMilliseconds)) {
Invoke-KillProcessTree $process.id
Write-Host -ForegroundColor Red "Process Timed out after $TimeoutSeconds seconds, use '-TimeoutSeconds' to specify a different timeout"
if ($stdoutFile) {
# Add a warning in stdoutFile in case of timeout
# problem: $stdoutFile was locked in writing by the process we just killed, sometimes it's too fast and the lock isn't released immediately
# solution: retry at most 10 times with 100ms between each attempt
For ($i = 0; $i -lt 10; $i++) {
try {
"<timeout>" | Out-File (Join-Path $WorkingDirectory $stdoutFile) -Append -Encoding ASCII
break # if we're here it means the file wasn't locked and Out-File worked, so we can leave the retry loop
}
catch {} # file is locked
Start-Sleep -m 100
}
}
}
if ($IsLinux -or $IsMacOS) {
Start-Sleep -Seconds 5 # On nix, the last 4 lines of stdout get overwritten upon return so pause for a bit to ensure user can view results
}
# Get Process result
return [PSCustomObject]@{
StandardOutput = ""
ErrorOutput = ""
ExitCode = $process.ExitCode
ProcessId = $Process.Id
IsTimeOut = $IsTimeout
}
}
}
finally {
if ($null -ne $process) { $process.Dispose() }
if ($null -ne $stdEvent) { $stdEvent.StopJob(); $stdEvent.Dispose() }
if ($null -ne $errorEvent) { $errorEvent.StopJob(); $errorEvent.Dispose() }
}
}
begin {
function NewProcess {
[OutputType([System.Diagnostics.Process])]
[CmdletBinding()]
param
(
[parameter(Mandatory = $true)]
[string]$FileName,
[parameter(Mandatory = $false)]
[string[]]$Arguments,
[parameter(Mandatory = $false)]
[string]$WorkingDirectory
)
# ProcessStartInfo
$psi = New-object System.Diagnostics.ProcessStartInfo
$psi.CreateNoWindow = $true
$psi.UseShellExecute = $false
$psi.RedirectStandardOutput = $true
$psi.RedirectStandardError = $true
$psi.FileName = $FileName
$psi.Arguments += $Arguments
$psi.WorkingDirectory = $WorkingDirectory
# Set Process
$process = New-Object System.Diagnostics.Process
$process.StartInfo = $psi
$process.EnableRaisingEvents = $true
return $process
}
function GetCommandResult {
[OutputType([PSCustomObject])]
[CmdletBinding()]
param
(
[parameter(Mandatory = $true)]
[System.Diagnostics.Process]$Process,
[parameter(Mandatory = $true)]
[System.Text.StringBuilder]$StandardStringBuilder,
[parameter(Mandatory = $true)]
[System.Text.StringBuilder]$ErrorStringBuilder,
[parameter(Mandatory = $true)]
[Bool]$IsTimeout
)
return [PSCustomObject]@{
StandardOutput = $StandardStringBuilder.ToString().Trim()
ErrorOutput = $ErrorStringBuilder.ToString().Trim()
ExitCode = $Process.ExitCode
ProcessId = $Process.Id
IsTimeOut = $IsTimeout
}
}
}
}
83ea041a-9015-437d-9af8-55e97acc0420C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1
410615103150x0708505Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2673f39b-f9b4-4bce-9709-3c49493d8d952b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708504Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2673f39b-f9b4-4bce-9709-3c49493d8d952b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708503Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-KillProcessTree {
Param([int]$ppid)
if ($IsLinux -or $IsMacOS) {
sh -c "pkill -9 -P $ppid"
}
else {
while ($null -ne ($gcim = Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq $ppid })) {
$gcim | ForEach-Object { Invoke-KillProcessTree $_.ProcessId; Start-Sleep -Seconds 0.5 }
}
Stop-Process -Id $ppid -ErrorAction Ignore
}
}
2673f39b-f9b4-4bce-9709-3c49493d8d95C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-KillProcessTree.ps1
410615103150x0708502Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localca437bfd-3489-4c5b-952c-6aeda127f75d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708501Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localca437bfd-3489-4c5b-952c-6aeda127f75d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708500Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-ExecuteCommand ($finalCommand, $executor, $executionPlatform, $TimeoutSeconds, $session = $null, $interactive) {
$null = @(
if ($null -eq $finalCommand) { return 0 }
$finalCommand = $finalCommand.trim()
Write-Verbose -Message 'Invoking Atomic Tests using defined executor'
if ($executor -eq "command_prompt" -or $executor -eq "sh" -or $executor -eq "bash") {
$execPrefix = "-c"
$execExe = $executor
if ($executor -eq "command_prompt") {
$execPrefix = "/c";
$execExe = "cmd.exe";
$execCommand = $finalCommand -replace "`n", " & "
$arguments = $execPrefix, "$execCommand"
}
else {
$finalCommand = $finalCommand -replace "[\\](?!;)", "`\$&"
$finalCommand = $finalCommand -replace "[`"]", "`\$&"
$execCommand = $finalCommand -replace "(?<!;)\n", "; "
$arguments = "$execPrefix `"$execCommand`""
}
}
elseif ($executor -eq "powershell") {
$execCommand = $finalCommand -replace "`"", "`\`"`""
if ($session) {
if ($executionPlatform -eq "windows") {
$execExe = "powershell.exe"
}
else {
$execExe = "pwsh"
}
}
else {
$execExe = "powershell.exe"; if ($IsLinux -or $IsMacOS) { $execExe = "pwsh" }
}
if ($execExe -eq "pwsh") {
$arguments = "-Command $execCommand"
}
else {
$arguments = "& {$execCommand}"
}
}
else {
Write-Warning -Message "Unable to generate or execute the command line properly. Unknown executor"
return [PSCustomObject]@{
StandardOutput = ""
ErrorOutput = ""
ExitCode = -1
IsTimeOut = $false
}
}
# Write-Host -ForegroundColor Magenta "$execExe $arguments"
if ($session) {
$scriptParentPath = Split-Path $import -Parent
$fp = Join-Path $scriptParentPath "Invoke-Process.ps1"
$fp2 = Join-Path $scriptParentPath "Invoke-KillProcessTree.ps1"
invoke-command -Session $session -FilePath $fp
invoke-command -Session $session -FilePath $fp2
$res = invoke-command -Session $session -ScriptBlock { Invoke-Process -filename $Using:execExe -Arguments $Using:arguments -TimeoutSeconds $Using:TimeoutSeconds -stdoutFile "art-out.txt" -stderrFile "art-err.txt" }
}
else {
if ($interactive) {
# This use case is: Local execution of tests that contain interactive prompts
# In this situation, let the stdout/stderr flow to the console
$res = Invoke-Process -filename $execExe -Arguments $arguments -TimeoutSeconds $TimeoutSeconds
}
else {
# Local execution that DO NOT contain interactive prompts
# In this situation, capture the stdout/stderr for Invoke-AtomicTest to send to the caller
$res = Invoke-Process -filename $execExe -Arguments $arguments -TimeoutSeconds $TimeoutSeconds -stdoutFile "art-out.txt" -stderrFile "art-err.txt"
}
}
)
$res
}
ca437bfd-3489-4c5b-952c-6aeda127f75dC:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-ExecuteCommand.ps1
410615103150x0708499Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb72721eb-fc56-4724-bf6d-6687a42dd1522b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708498Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb72721eb-fc56-4724-bf6d-6687a42dd1522b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708497Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-CheckPrereqs ($test, $isElevated, $executionPlatform, $customInputArgs, $PathToAtomicsFolder, $TimeoutSeconds, $session = $null) {
$FailureReasons = New-Object System.Collections.ArrayList
if ( $test.executor.elevation_required -and -not $isElevated) {
$FailureReasons.add("Elevation required but not provided`n") | Out-Null
}
foreach ($dep in $test.dependencies) {
$executor = Get-PrereqExecutor $test
$final_command = Merge-InputArgs $dep.prereq_command $test $customInputArgs $PathToAtomicsFolder
if ($executor -ne "powershell") { $final_command = ($final_Command.trim()).Replace("`n", " && ") }
$res = Invoke-ExecuteCommand $final_command $executor $executionPlatform $TimeoutSeconds $session
$description = Merge-InputArgs $dep.description $test $customInputArgs $PathToAtomicsFolder
if ($res.ExitCode -ne 0) {
$FailureReasons.add($description) | Out-Null
}
}
$FailureReasons
}
b72721eb-fc56-4724-bf6d-6687a42dd152C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-CheckPrereqs.ps1
410615103150x0708496Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local580e331c-a59d-4c02-9005-96046b2615ae2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708495Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local580e331c-a59d-4c02-9005-96046b2615ae2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708494Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-TargetInfo($Session) {
$tmpDir = "$env:TEMP\"
$isElevated = $false
$targetHostname = hostname
$targetUser = whoami
if ($Session) {
$targetPlatform, $isElevated, $tmpDir, $targetHostname, $targetUser = invoke-command -Session $Session -ScriptBlock {
$targetPlatform = "windows"
$tmpDir = "/tmp/"
$targetHostname = hostname
$targetUser = whoami
if ($IsLinux) { $targetPlatform = "linux" }
elseif ($IsMacOS) { $targetPlatform = "macos" }
else {
# windows
$tmpDir = "$env:TEMP\"
$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
if ($IsLinux -or $IsMacOS) {
$isElevated = $false
$privid = id -u
if ($privid -eq 0) { $isElevated = $true }
}
$targetPlatform, $isElevated, $tmpDir, $targetHostname, $targetUser
} # end ScriptBlock for remote session
}
else {
$targetPlatform = "linux"
if ($IsLinux -or $IsMacOS) {
$tmpDir = "/tmp/"
$isElevated = $false
$privid = id -u
if ($privid -eq 0) { $isElevated = $true }
if ($IsMacOS) { $targetPlatform = "macos" }
}
else {
$targetPlatform = "windows"
$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
}
$targetPlatform, $isElevated, $tmpDir, $targetHostname, $targetUser
}
580e331c-a59d-4c02-9005-96046b2615aeC:\AtomicRedTeam\invoke-atomicredteam\Private\Get-TargetInfo.ps1
410615103150x0708493Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local018c13a6-4607-4408-96b7-47a65036f17c2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708492Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local018c13a6-4607-4408-96b7-47a65036f17c2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708491Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-PrereqExecutor ($test) {
if ($nul -eq $test.dependency_executor_name) { $executor = $test.executor.name }
else { $executor = $test.dependency_executor_name }
$executor
}
018c13a6-4607-4408-96b7-47a65036f17cC:\AtomicRedTeam\invoke-atomicredteam\Private\Get-PrereqExecutor.ps1
410615103150x0708490Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2be6acf6-3d12-4ca6-84eb-d128983fada32b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708489Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2be6acf6-3d12-4ca6-84eb-d128983fada32b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708488Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-AtomicGUI {
param (
[Int] $port = 8487
)
# Install-Module UniversalDashboard if not already installed
$UDcommunityInstalled = Get-InstalledModule -Name "UniversalDashboard.Community" -ErrorAction:SilentlyContinue
$UDinstalled = Get-InstalledModule -Name "UniversalDashboard" -ErrorAction:SilentlyContinue
if (-not $UDcommunityInstalled -and -not $UDinstalled) {
Write-Host "Installing UniversalDashboard.Community"
Install-Module -Name UniversalDashboard.Community -Scope CurrentUser -Force
}
############## Function Definitions Made Available to EndPoints
function New-UDTextAreaX ($ID, $PlaceHolder) {
New-UDElement -Tag div -Attributes @{class = "input-field col" } -Content {
New-UDElement -Tag "textarea" -id $ID -Attributes @{ class = "materialize-textarea ud-input" }
New-UDElement -Tag Label -Attributes @{for = $ID } -Content { $PlaceHolder }
}
}
function New-UDTextBoxX ($ID, $PlaceHolder) {
New-UDElement -Tag div -Attributes @{class = "input-field col" } -Content {
New-UDElement -Tag "input" -id $ID -Attributes @{ class = "ud-input"; type = "text" }
New-UDElement -Tag Label -Attributes @{for = $ID } -Content { $PlaceHolder }
}
}
$InputArgCards = @{ }
function New-InputArgCard {
$cardNumber = $InputArgCards.count + 1
$newCard = New-UDCard -ID "InputArgCard$cardNumber" -Content {
New-UDTextBoxX "InputArgCard$cardNumber-InputArgName" "Input Argument Name"
New-UDTextAreaX "InputArgCard$cardNumber-InputArgDescription" "Description"
New-UDTextBoxX "InputArgCard$cardNumber-InputArgDefault" "Default Value"
New-UDLayout -columns 4 {
New-UDSelect -ID "InputArgCard$cardNumber-InputArgType" -Label "Type" -Option {
New-UDSelectOption -Name "Path" -Value "path"
New-UDSelectOption -Name "String" -Value "string"
New-UDSelectOption -Name "Url" -Value "url"
New-UDSelectOption -Name "Integer" -Value "integer"
}
}
New-UDButton -Text "Remove this Input Argument" -OnClick (
New-UDEndpoint -Endpoint {
Remove-UDElement -Id "InputArgCard$cardNumber"
$inputArgCards["InputArgCard$cardNumber"] = $true
} -ArgumentList @($cardNumber, $inputArgCards)
)
}
$InputArgCards.Add("InputArgCard$cardNumber", $false) | Out-Null
$newCard
}
$depCards = @{ }
function New-depCard {
$cardNumber = $depCards.count + 1
$newCard = New-UDCard -ID "depCard$cardNumber" -Content {
New-UDTextBoxX "depCard$cardNumber-depDescription" "Prereq Description"
New-UDTextAreaX "depCard$cardNumber-prereqCommand" "Check prereqs Command"
New-UDTextAreaX "depCard$cardNumber-getPrereqCommand" "Get Prereqs Command"
New-UDButton -Text "Remove this Prereq" -OnClick (
New-UDEndpoint -Endpoint {
Remove-UDElement -Id "depCard$cardNumber"
$depCards["depCard$cardNumber"] = $true
} -ArgumentList @($cardNumber, $depCards)
)
}
$depCards.Add("depCard$cardNumber", $false) | Out-Null
$newCard
}
function New-UDSelectX ($Id, $Label) {
New-UDSelect -Label $Label -Id $Id -Option {
New-UDSelectOption -Name "PowerShell" -Value "PowerShell" -Selected
New-UDSelectOption -Name "Command Prompt" -Value "CommandPrompt"
New-UDSelectOption -Name "Bash" -Value "Bash"
New-UDSelectOption -Name "Sh" -Value "Sh"
}
}
############## End Function Definitions Made Available to EndPoints
# EndpointInitialization defining which methods, modules, and variables will be available for use within an endpoint
$ei = New-UDEndpointInitialization `
-Function @("New-InputArgCard", "New-depCard", "New-UDTextAreaX", "New-UDTextBoxX", "New-UDSelectX") `
-Variable @("InputArgCards", "depCards", "yaml") `
-Module @("..\Invoke-AtomicRedTeam.psd1")
############## EndPoint (ep) Definitions: Dynamic code called to generate content for an element or perfrom onClick actions
$BuildAndDisplayYamlScriptBlock = {
$testName = (Get-UDElement -Id atomicName).Attributes['value']
$testDesc = (Get-UDElement -Id atomicDescription).Attributes['value']
$platforms = @()
if ((Get-UDElement -Id spWindows).Attributes['checked']) { $platforms += "Windows" }
if ((Get-UDElement -Id spLinux).Attributes['checked']) { $platforms += "Linux" }
if ((Get-UDElement -Id spMacOS).Attributes['checked']) { $platforms += "macOS" }
$attackCommands = (Get-UDElement -Id attackCommands).Attributes['value']
$executor = (Get-UDElement -Id executorSelector).Attributes['value']
$elevationRequired = (Get-UDElement -Id elevationRequired).Attributes['checked']
$cleanupCommands = (Get-UDElement -Id cleanupCommands).Attributes['value']
if ("" -eq $executor) { $executor = "PowerShell" }
# input args
$inputArgs = @()
$InputArgCards.GetEnumerator() | ForEach-Object {
if ($_.Value -eq $false) {
# this was not deleted
$prefix = $_.key
$InputArgName = (Get-UDElement -Id "$prefix-InputArgName").Attributes['value']
$InputArgDescription = (Get-UDElement -Id "$prefix-InputArgDescription").Attributes['value']
$InputArgDefault = (Get-UDElement -Id "$prefix-InputArgDefault").Attributes['value']
$InputArgType = (Get-UDElement -Id "$prefix-InputArgType").Attributes['value']
if ("" -eq $InputArgType) { $InputArgType = "String" }
$NewInputArg = New-AtomicTestInputArgument -Name $InputArgName -Description $InputArgDescription -Type $InputArgType -Default $InputArgDefault -WarningVariable +warnings
$inputArgs += $NewInputArg
}
}
# dependencies
$dependencies = @()
$preReqEx = ""
$depCards.GetEnumerator() | ForEach-Object {
if ($_.Value -eq $false) {
# a value of true means the card was deleted, so only add dependencies from non-deleted cards
$prefix = $_.key
$depDescription = (Get-UDElement -Id "$prefix-depDescription").Attributes['value']
$prereqCommand = (Get-UDElement -Id "$prefix-prereqCommand").Attributes['value']
$getPrereqCommand = (Get-UDElement -Id "$prefix-getPrereqCommand").Attributes['value']
$preReqEx = (Get-UDElement -Id "preReqEx").Attributes['value']
if ("" -eq $preReqEx) { $preReqEx = "PowerShell" }
$NewDep = New-AtomicTestDependency -Description $depDescription -PrereqCommand $prereqCommand -GetPrereqCommand $getPrereqCommand -WarningVariable +warnings
$dependencies += $NewDep
}
}
$depParams = @{ }
if ($dependencies.count -gt 0) {
$depParams.add("DependencyExecutorType", $preReqEx)
$depParams.add("Dependencies", $dependencies)
}
if (($cleanupCommands -ne "") -and ($null -ne $cleanupCommands)) { $depParams.add("ExecutorCleanupCommand", $cleanupCommands) }
$depParams.add("ExecutorElevationRequired", $elevationRequired)
$AtomicTest = New-AtomicTest -Name $testName -Description $testDesc -SupportedPlatforms $platforms -InputArguments $inputArgs -ExecutorType $executor -ExecutorCommand $attackCommands -WarningVariable +warnings @depParams
$yaml = ($AtomicTest | ConvertTo-Yaml) -replace "^", "- " -replace "`n", "`n "
foreach ($warning in $warnings) { Show-UDToast $warning -BackgroundColor LightYellow -Duration 10000 }
New-UDElement -ID yaml -Tag pre -Content { $yaml }
}
$epYamlModal = New-UDEndpoint -Endpoint {
Show-UDModal -Header { New-UDHeading -Size 3 -Text "Test Definition YAML" } -Content {
new-udrow -endpoint $BuildAndDisplayYamlScriptBlock
# Left arrow button (decrease indentation)
New-UDButton -Icon arrow_circle_left -OnClick (
New-UDEndpoint -Endpoint {
$yaml = (Get-UDElement -Id "yaml").Content[0]
if (-not $yaml.startsWith("- ")) {
Set-UDElement -Id "yaml" -Content {
$yaml -replace "^ ", "" -replace "`n ", "`n"
}
}
}
)
# Right arrow button (increase indentation)
New-UDButton -Icon arrow_circle_right -OnClick (
New-UDEndpoint -Endpoint {
$yaml = (Get-UDElement -Id "yaml").Content[0]
Set-UDElement -Id "yaml" -Content {
$yaml -replace "^", " " -replace "`n", "`n "
}
}
)
# Copy Yaml to clipboard
New-UDButton -Text "Copy" -OnClick (
New-UDEndpoint -Endpoint {
$yaml = (Get-UDElement -Id "yaml").Content[0]
Set-UDClipboard -Data $yaml
Show-UDToast -Message "Copied YAML to the Clipboard" -BackgroundColor YellowGreen
}
)
}
}
$epFillTestData = New-UDEndpoint -Endpoint {
Add-UDElement -ParentId "inputCard" -Content { New-InputArgCard }
Add-UDElement -ParentId "depCard" -Content { New-depCard }
Start-Sleep 1
Set-UDElement -Id atomicName -Attributes @{value = "My new atomic" }
Set-UDElement -Id atomicDescription -Attributes @{value = "This is the atomic description" }
Set-UDElement -Id attackCommands -Attributes @{value = "echo this`necho that" }
Set-UDElement -Id cleanupCommands -Attributes @{value = "cleanup commands here`nand here..." }
# InputArgs
$cardNumber = 1
Set-UDElement -Id "InputArgCard$cardNumber-InputArgName" -Attributes @{value = "input_arg_1" }
Set-UDElement -Id "InputArgCard$cardNumber-InputArgDescription" -Attributes @{value = "InputArg1 description" }
Set-UDElement -Id "InputArgCard$cardNumber-InputArgDefault" -Attributes @{value = "this is the default value" }
# dependencies
Set-UDElement -Id "depCard$cardNumber-depDescription" -Attributes @{value = "This file must exist" }
Set-UDElement -Id "depCard$cardNumber-prereqCommand" -Attributes @{value = "if (this) then that" }
Set-UDElement -Id "depCard$cardNumber-getPrereqCommand" -Attributes @{value = "iwr" }
}
############## End EndPoint (ep) Definitions
############## Static Definitions
$supportedPlatforms = New-UDLayout -Columns 4 {
New-UDElement -Tag Label -Attributes @{ style = @{"font-size" = "15px" } } -Content { "Supported Platforms:" }
New-UDCheckbox -FilledIn -Label "Windows" -Checked -Id spWindows
New-UDCheckbox -FilledIn -Label "Linux" -Id spLinux
New-UDCheckbox -FilledIn -Label "macOS"-Id spMacOS
}
$executorRow = New-UDLayout -Columns 4 {
New-UDSelectX 'executorSelector' "Executor for Attack Commands"
New-UDCheckbox -ID elevationRequired -FilledIn -Label "Requires Elevation to Execute Successfully?"
}
$genarateYamlButton = New-UDRow -Columns {
New-UDColumn -Size 8 -Content { }
New-UDColumn -Size 4 -Content {
New-UDButton -Text "Generate Test Definition YAML" -OnClick ( $epYamlModal )
}
}
############## End Static Definitions
############## The Dashboard
$idleTimeOut = New-TimeSpan -Minutes 10080
$db = New-UDDashboard -Title "Atomic Test Creation" -IdleTimeout $idleTimeOut -EndpointInitialization $ei -Content {
New-UDCard -Id "mainCard" -Content {
New-UDCard -Content {
New-UDTextBoxX 'atomicName' "Atomic Test Name"
New-UDTextAreaX "atomicDescription" "Atomic Test Description"
$supportedPlatforms
New-UDTextAreaX "attackCommands" "Attack Commands"
$executorRow
New-UDTextAreaX "cleanupCommands" "Cleanup Commands (Optional)"
$genarateYamlButton
}
# input args
New-UDCard -Id "inputCard" -Endpoint {
New-UDButton -Text "Add Input Argument (Optional)" -OnClick (
New-UDEndpoint -Endpoint { Add-UDElement -ParentId "inputCard" -Content { New-InputArgCard } }
)
}
# prereqs
New-UDCard -Id "depCard" -Endpoint {
New-UDLayout -columns 4 {
New-UDButton -Text "Add Prerequisite (Optional)" -OnClick (
New-UDEndpoint -Endpoint { Add-UDElement -ParentId "depCard" -Content { New-depCard } }
)
New-UDSelectX 'preReqEx' "Executor for Prereq Commands"
}
}
}
# button to fill form with test data for development purposes
if ($false) { New-UDButton -Text "Fill Test Data" -OnClick ( $epFillTestData ) }
}
############## End of the Dashboard
Stop-AtomicGUI
Start-UDDashboard -port $port -Dashboard $db -Name "AtomicGUI" -ListenAddress 127.0.0.1
start-process http://localhost:$port
}
function Stop-AtomicGUI {
Get-UDDashboard -Name 'AtomicGUI' | Stop-UDDashboard
Write-Host "Stopped all AtomicGUI Dashboards"
}
2be6acf6-3d12-4ca6-84eb-d128983fada3C:\AtomicRedTeam\invoke-atomicredteam\Public\Start-AtomicGUI.ps1
410615103150x0708487Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local211d329c-edc6-4f33-909b-ce40f4aa56902b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708486Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local211d329c-edc6-4f33-909b-ce40f4aa56902b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708485Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# The class definitions that these functions rely upon are located in Private\AtomicClassSchema.ps1
function New-AtomicTechnique {
<#
.SYNOPSIS
Specifies a new atomic red team technique. The output of this function is designed to be piped directly to ConvertTo-Yaml, eliminating the need to work with YAML directly.
.PARAMETER AttackTechnique
Specifies one or more MITRE ATT&CK techniques that to which this technique applies. Per MITRE naming convention, an attack technique should start with "T" followed by a 4 digit number. The MITRE sub-technique format is also supported: TNNNN.NNN
.PARAMETER DisplayName
Specifies the name of the technique as defined by ATT&CK. Example: 'Audio Capture'
.PARAMETER AtomicTests
Specifies one or more atomic tests. Atomic tests are created using the New-AtomicTest function.
.EXAMPLE
$InputArg1 = New-AtomicTestInputArgument -Name filename -Description 'location of the payload' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.dll'
$InputArg2 = New-AtomicTestInputArgument -Name source -Description 'location of the source code to compile' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.cs'
$AtomicTest1 = New-AtomicTest -Name 'InstallUtil uninstall method call' -Description 'Executes the Uninstall Method' -SupportedPlatforms Windows -InputArguments @($InputArg1, $InputArg2) -ExecutorType CommandPrompt -ExecutorCommand @'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
'@
# Note: the input arguments are identical for atomic test #1 and #2
$AtomicTest2 = New-AtomicTest -Name 'InstallUtil GetHelp method call' -Description 'Executes the Help property' -SupportedPlatforms Windows -InputArguments @($InputArg1, $InputArg2) -ExecutorType CommandPrompt -ExecutorCommand @'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
'@
$AtomicTechnique = New-AtomicTechnique -AttackTechnique T1118 -DisplayName InstallUtil -AtomicTests $AtomicTest1, $AtomicTest2
# Everything is ready to convert to YAML now!
$AtomicTechnique | ConvertTo-Yaml | Out-File T1118.yaml
.OUTPUTS
AtomicTechnique
Outputs an object representing an atomic technique.
The output of New-AtomicTechnique is designed to be piped to ConvertTo-Yaml.
#>
[CmdletBinding()]
[OutputType([AtomicTechnique])]
param (
[Parameter(Mandatory)]
[String[]]
$AttackTechnique,
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$DisplayName,
[Parameter(Mandatory)]
[AtomicTest[]]
[ValidateNotNull()]
$AtomicTests
)
$AtomicTechniqueInstance = [AtomicTechnique]::new()
foreach ($Technique in $AttackTechnique) {
# Attack techniques should match the MITRE ATT&CK [sub-]technique format.
# This is not a requirement so just warn the user.
if ($Technique -notmatch '^(?-i:T\d{4}(\.\d{3}){0,1})$') {
Write-Warning "The following supplied attack technique does not start with 'T' followed by a four digit number: $Technique"
}
}
$AtomicTechniqueInstance.attack_technique = $AttackTechnique
$AtomicTechniqueInstance.display_name = $DisplayName
$AtomicTechniqueInstance.atomic_tests = $AtomicTests
return $AtomicTechniqueInstance
}
function New-AtomicTest {
<#
.SYNOPSIS
Specifies an atomic test.
.PARAMETER Name
Specifies the name of the test that indicates how it tests the technique.
.PARAMETER Description
Specifies a long form description of the test. Markdown is supported.
.PARAMETER SupportedPlatforms
Specifies the OS/platform on which the test is designed to run. The following platforms are currently supported: Windows, macOS, Linux.
A single test can support multiple platforms.
.PARAMETER ExecutorType
Specifies the the framework or application in which the test should be executed. The following executor types are currently supported: CommandPrompt, Sh, Bash, PowerShell.
- CommandPrompt: The Windows Command Prompt, aka cmd.exe
Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by cmd.exe.
- PowerShell: PowerShell
Requires the -ExecutorCommand argument to contain a multi-line PowerShell scriptblock that will be preprocessed and then executed by powershell.exe
- Sh: Linux's bourne shell
Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by sh.
- Bash: Linux's bourne again shell
Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by bash.
.PARAMETER ExecutorElevationRequired
Specifies that the test must run with elevated privileges.
.PARAMETER ExecutorSteps
Specifies a manual list of steps to execute. This should be specified when the atomic test cannot be executed in an automated fashion, for example when GUI steps are involved that cannot be automated.
.PARAMETER ExecutorCommand
Specifies the command to execute as part of the atomic test. This should be specified when the atomic test can be executed in an automated fashion.
The -ExecutorType specified will dictate the command specified, e.g. PowerShell scriptblock code when the "PowerShell" ExecutorType is specified.
.PARAMETER ExecutorCleanupCommand
Specifies the command to execute if there are any artifacts that need to be cleaned up.
.PARAMETER InputArguments
Specifies one or more input arguments. Input arguments are defined using the New-AtomicTestInputArgument function.
.PARAMETER DependencyExecutorType
Specifies an override execution type for dependencies. By default, dependencies are executed using the framework specified in -ExecutorType.
In most cases, 'PowerShell' is specified as a dependency executor type when 'CommandPrompt' is specified as an executor type.
.PARAMETER Dependencies
Specifies one or more dependencies. Dependencies are defined using the New-AtomicTestDependency function.
.EXAMPLE
$InputArg1 = New-AtomicTestInputArgument -Name filename -Description 'location of the payload' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.dll'
$InputArg2 = New-AtomicTestInputArgument -Name source -Description 'location of the source code to compile' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.cs'
$AtomicTest = New-AtomicTest -Name 'InstallUtil uninstall method call' -Description 'Executes the Uninstall Method' -SupportedPlatforms Windows -InputArguments $InputArg1, $InputArg2 -ExecutorType CommandPrompt -ExecutorCommand @'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
'@
.OUTPUTS
AtomicTest
Outputs an object representing an atomic test. This object is intended to be supplied to the New-AtomicTechnique -AtomicTests parameter.
The output of New-AtomicTest can be piped to ConvertTo-Yaml. The resulting output can be added to an existing atomic technique YAML doc.
#>
[CmdletBinding(DefaultParameterSetName = 'AutomatedExecutor')]
[OutputType([AtomicTest])]
param (
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$Name,
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$Description,
[Parameter(Mandatory)]
[String[]]
[ValidateSet('Windows', 'macOS', 'Linux')]
$SupportedPlatforms,
[Parameter(Mandatory, ParameterSetName = 'AutomatedExecutor')]
[String]
[ValidateSet('CommandPrompt', 'Sh', 'Bash', 'PowerShell')]
$ExecutorType,
[Switch]
$ExecutorElevationRequired,
[Parameter(Mandatory, ParameterSetName = 'ManualExecutor')]
[String]
[ValidateNotNullOrEmpty()]
$ExecutorSteps,
[Parameter(Mandatory, ParameterSetName = 'AutomatedExecutor')]
[String]
[ValidateNotNullOrEmpty()]
$ExecutorCommand,
[String]
[ValidateNotNullOrEmpty()]
$ExecutorCleanupCommand,
[AtomicInputArgument[]]
$InputArguments,
[String]
[ValidateSet('CommandPrompt', 'Sh', 'Bash', 'PowerShell')]
$DependencyExecutorType,
[AtomicDependency[]]
$Dependencies
)
$AtomicTestInstance = [AtomicTest]::new()
$AtomicTestInstance.name = $Name
$AtomicTestInstance.description = $Description
$AtomicTestInstance.supported_platforms = $SupportedPlatforms | ForEach-Object { $_.ToLower() }
$StringsWithPotentialInputArgs = New-Object -TypeName 'System.Collections.Generic.List`1[String]'
switch ($PSCmdlet.ParameterSetName) {
'AutomatedExecutor' {
$ExecutorInstance = [AtomicExecutorDefault]::new()
$ExecutorInstance.command = $ExecutorCommand
$StringsWithPotentialInputArgs.Add($ExecutorCommand)
}
'ManualExecutor' {
$ExecutorInstance = [AtomicExecutorManual]::new()
$ExecutorInstance.steps = $ExecutorSteps
$StringsWithPotentialInputArgs.Add($ExecutorSteps)
}
}
switch ($ExecutorType) {
'CommandPrompt' { $ExecutorInstance.name = 'command_prompt' }
default { $ExecutorInstance.name = $ExecutorType.ToLower() }
}
if ($ExecutorCleanupCommand) {
$ExecutorInstance.cleanup_command = $ExecutorCleanupCommand
$StringsWithPotentialInputArgs.Add($ExecutorCleanupCommand)
}
if ($ExecutorElevationRequired) { $ExecutorInstance.elevation_required = $True }
if ($Dependencies) {
foreach ($Dependency in $Dependencies) {
$StringsWithPotentialInputArgs.Add($Dependency.description)
$StringsWithPotentialInputArgs.Add($Dependency.prereq_command)
$StringsWithPotentialInputArgs.Add($Dependency.get_prereq_command)
}
}
if ($DependencyExecutorType) {
switch ($DependencyExecutorType) {
'CommandPrompt' { $AtomicTestInstance.dependency_executor_name = 'command_prompt' }
default { $AtomicTestInstance.dependency_executor_name = $DependencyExecutorType.ToLower() }
}
} $AtomicTestInstance.dependencies = $Dependencies
[Hashtable] $InputArgHashtable = @{ }
if ($InputArguments.Count) {
# Determine if any of the input argument names repeat. They must be unique.
$InputArguments | Group-Object -Property Name | Where-Object { $_.Count -gt 1 } | ForEach-Object {
Write-Error "There are $($_.Count) instances of the $($_.Name) input argument. Input argument names must be unique."
return
}
# Convert each input argument to a hashtable where the key is the Name property.
foreach ($InputArg in $InputArguments) {
# Create a copy of the passed input argument that doesn't include the "Name" property.
# Passing in a shallow copy adversely affects YAML serialization for some reason.
$NewInputArg = [AtomicInputArgument]::new()
$NewInputArg.default = $InputArg.default
$NewInputArg.description = $InputArg.description
$NewInputArg.type = $InputArg.type
$InputArgHashtable[$InputArg.Name] = $NewInputArg
}
$AtomicTestInstance.input_arguments = $InputArgHashtable
}
# Extract all specified input arguments from executor and any dependencies.
$Regex = [Regex] '#\{(?<ArgName>[^}]+)\}'
[String[]] $InputArgumentNamesFromExecutor = $StringsWithPotentialInputArgs |
ForEach-Object { $Regex.Matches($_) } |
Select-Object -ExpandProperty Groups |
Where-Object { $_.Name -eq 'ArgName' } |
Select-Object -ExpandProperty Value |
Sort-Object -Unique
# Validate that all executor arguments are defined as input arguments
if ($InputArgumentNamesFromExecutor.Count) {
$InputArgumentNamesFromExecutor | ForEach-Object {
if ($InputArgHashtable.Keys -notcontains $_) {
Write-Error "The following input argument was specified but is not defined: '$_'"
return
}
}
}
# Validate that all defined input args are utilized at least once in the executor.
if ($InputArgHashtable.Keys.Count) {
$InputArgHashtable.Keys | ForEach-Object {
if ($InputArgumentNamesFromExecutor -notcontains $_) {
# Write a warning since this scenario is not considered a breaking change
Write-Warning "The following input argument is defined but not utilized: '$_'."
}
}
}
$AtomicTestInstance.executor = $ExecutorInstance
return $AtomicTestInstance
}
function New-AtomicTestDependency {
<#
.SYNOPSIS
Specifies a new dependency that must be met prior to execution of an atomic test.
.PARAMETER Description
Specifies a human-readable description of the dependency. This should be worded in the following form: SOMETHING must SOMETHING
.PARAMETER PrereqCommand
Specifies commands to check if prerequisites for running this test are met.
For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met.
For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
.PARAMETER GetPrereqCommand
Specifies commands to meet this prerequisite or a message describing how to meet this prereq
More specifically, this command is designed to satisfy either of the following conditions:
1) If a prerequisite is not met, perform steps necessary to satify the prerequisite. Such a command should be implemented when prerequisites can be satisfied in an automated fashion.
2) If a prerequisite is not met, inform the user what the steps are to satisfy the prerequisite. Such a message should be presented to the user in the case that prerequisites cannot be satisfied in an automated fashion.
.EXAMPLE
$Dependency = New-AtomicTestDependency -Description 'Folder to zip must exist (#{input_file_folder})' -PrereqCommand 'test -e #{input_file_folder}' -GetPrereqCommand 'echo Please set input_file_folder argument to a folder that exists'
.OUTPUTS
AtomicDependency
Outputs an object representing an atomic test dependency. This object is intended to be supplied to the New-AtomicTest -Dependencies parameter.
Note: due to a bug in PowerShell classes, the get_prereq_command property will not display by default. If all fields must be explicitly displayed, they can be viewed by piping output to "Select-Object description, prereq_command, get_prereq_command".
#>
[CmdletBinding()]
[OutputType([AtomicDependency])]
param (
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$Description,
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$PrereqCommand,
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$GetPrereqCommand
)
$DependencyInstance = [AtomicDependency]::new()
$DependencyInstance.description = $Description
$DependencyInstance.prereq_command = $PrereqCommand
$DependencyInstance.get_prereq_command = $GetPrereqCommand
return $DependencyInstance
}
function New-AtomicTestInputArgument {
<#
.SYNOPSIS
Specifies an input to an atomic test that is a requirement to run the test (think of these like function arguments).
.PARAMETER Name
Specifies the name of the input argument. This must be lowercase and can optionally, have underscores. The input argument name is what is specified as arguments within executors and dependencies.
.PARAMETER Description
Specifies a human-readable description of the input argument.
.PARAMETER Type
Specifies the data type of the input argument. The following data types are supported: Path, Url, String, Integer, Float. If an alternative data type must be supported, use the -TypeOverride parameter.
.PARAMETER TypeOverride
Specifies an unsupported input argument data type. Specifying this parameter should not be common.
.PARAMETER Default
Specifies a default value for an input argument if one is not specified via the Invoke-AtomicTest -InputArgs parameter.
.EXAMPLE
$AtomicInputArgument = New-AtomicTestInputArgument -Name 'rar_exe' -Type Path -Description 'The RAR executable from Winrar' -Default '%programfiles%\WinRAR\Rar.exe'
.OUTPUTS
AtomicInputArgument
Outputs an object representing an atomic test input argument. This object is intended to be supplied to the New-AtomicTest -InputArguments parameter.
#>
[CmdletBinding(DefaultParameterSetName = 'PredefinedType')]
[OutputType([AtomicInputArgument])]
param (
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$Name,
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$Description,
[Parameter(Mandatory, ParameterSetName = 'PredefinedType')]
[String]
[ValidateSet('Path', 'Url', 'String', 'Integer', 'Float')]
$Type,
[Parameter(Mandatory, ParameterSetName = 'TypeOverride')]
[String]
[ValidateNotNullOrEmpty()]
$TypeOverride,
[Parameter(Mandatory)]
[String]
[ValidateNotNullOrEmpty()]
$Default
)
if ($Name -notmatch '^(?-i:[0-9a-z_]+)$') {
Write-Error "Input argument names must be lowercase and optionally, contain underscores. Input argument name supplied: $Name"
return
}
$AtomicInputArgInstance = [AtomicInputArgument]::new()
$AtomicInputArgInstance.description = $Description
$AtomicInputArgInstance.default = $Default
if ($Type) {
$AtomicInputArgInstance.type = $Type
# Validate input argument types when it makes sense to do so.
switch ($Type) {
'Url' {
if (-not [Uri]::IsWellFormedUriString($Type, [UriKind]::RelativeOrAbsolute)) {
Write-Warning "The specified Url is not properly formatted: $Type"
}
}
'Integer' {
if (-not [Int]::TryParse($Type, [Ref] $null)) {
Write-Warning "The specified Int is not properly formatted: $Type"
}
}
'Float' {
if (-not [Double]::TryParse($Type, [Ref] $null)) {
Write-Warning "The specified Float is not properly formatted: $Type"
}
}
# The following supported data types do not make sense to validate:
# 'Path' { }
# 'String' { }
}
}
else {
$AtomicInputArgInstance.type = $TypeOverride
}
# Add Name as a note property since the Name property cannot be defined in the AtomicInputArgument
# since it must be stored as a hashtable where the name is the key. Fortunately, ConvertTo-Yaml
# won't convert note properties during serialization.
$InputArgument = Add-Member -InputObject $AtomicInputArgInstance -MemberType NoteProperty -Name Name -Value $Name -PassThru
return $InputArgument
}
211d329c-edc6-4f33-909b-ce40f4aa5690C:\AtomicRedTeam\invoke-atomicredteam\Public\New-Atomic.ps1
410615103150x0708484Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6286ab8a-bdac-4979-8d03-db484ef8daa72b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708483Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6286ab8a-bdac-4979-8d03-db484ef8daa72b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708482Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-WebRequestVerifyHash ($url, $outfile, $hash) {
$success = $false
$null = @(
New-Item -ItemType Directory (Split-Path $outfile) -Force | Out-Null
$ms = New-Object IO.MemoryStream
[Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12)
(New-Object System.Net.WebClient).OpenRead($url).copyto($ms)
$ms.seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
$actualHash = (Get-FileHash -InputStream $ms).Hash
if ( $hash -eq $actualHash) {
$ms.seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
$fileStream = New-Object IO.FileStream $outfile, ([System.IO.FileMode]::Create)
$ms.CopyTo($fileStream);
$fileStream.Close()
$success = $true
}
else {
Write-Host -ForegroundColor red "File hash mismatch, expected: $hash, actual: $actualHash"
}
)
$success
}
6286ab8a-bdac-4979-8d03-db484ef8daa7C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-WebRequestVerifyHash.ps1
410615103150x0708481Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local636ad392-c610-47be-942b-1be5cc09afd62b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708480Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local636ad392-c610-47be-942b-1be5cc09afd62b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708479Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-SetupAtomicRunner {
# ensure running with admin privs
if ($artConfig.OS -eq "windows") {
# auto-elevate on Windows
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
exit $LASTEXITCODE
}
}
else {
# linux and macos check - doesn't auto-elevate
if ((id -u) -ne 0 ) {
Throw "You must run the Invoke-SetupAtomicRunner script as root"
exit
}
}
if ($artConfig.basehostname.length -gt 15) { Throw "The hostname for this machine (minus the GUID) must be 15 characters or less. Please rename this computer." }
#create AtomicRunner-Logs directories if they don't exist
New-Item -ItemType Directory $artConfig.atomicLogsPath -ErrorAction Ignore
New-Item -ItemType Directory $artConfig.runnerFolder -ErrorAction Ignore
if ($artConfig.gmsaAccount) {
Start-Service WinRM
$path = Join-Path $env:ProgramFiles "WindowsPowerShell\Modules\RenameRunner\RoleCapabilities"
New-Item -ItemType Directory $path -ErrorAction Ignore
New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -GroupManagedServiceAccount $artConfig.gmsaAccount -RoleDefinitions @{ "$($artConfig.user)" = @{ 'RoleCapabilities' = 'RenameRunner' } } -path "$env:Temp\RenameRunner.pssc"
New-PSRoleCapabilityFile -VisibleCmdlets @{ 'Name' = 'Rename-Computer'; 'Parameters' = @{ 'Name' = 'NewName'; 'ValidatePattern' = 'ATOMICSOC.*' }, @{ 'Name' = 'Force' }, @{ 'Name' = 'restart' } } -path "$path\RenameRunner.psrc"
$null = Register-PSSessionConfiguration -name "RenameRunnerEndpoint" -path "$env:Temp\RenameRunner.pssc" -force
Add-LocalGroupMember "administrators" "$($artConfig.gmsaAccount)$" -ErrorAction Ignore
# Make sure WinRM is enabled and set to Automic start (not delayed)
Set-ItemProperty hklm:\\SYSTEM\CurrentControlSet\Services\WinRM -Name Start -Value 2
Set-ItemProperty hklm:\\SYSTEM\CurrentControlSet\Services\WinRM -Name DelayedAutostart -Value 0 # default is delayed start and that is too slow given our 1 minute delay on our kickoff task
# this registry key must be set to zero for things to work get-itemproperty hklm:\Software\Policies\Microsoft\Windows\WinRM\Service\
$hklmKey = (get-itemproperty hklm:\Software\Policies\Microsoft\Windows\WinRM\Service -name DisableRunAs -ErrorAction ignore).DisableRunAs
$hkcuKey = (get-itemproperty hkcu:\Software\Policies\Microsoft\Windows\WinRM\Service -name DisableRunAs -ErrorAction ignore).DisableRunAs
if ((1 -eq $hklmKey) -or (1 -eq $hkcuKey)) { Write-Host -ForegroundColor Red "DisableRunAs registry Key will not allow use of the JEA endpoint with a gmsa account" }
if ((Get-ItemProperty hklm:\System\CurrentControlSet\Control\Lsa\ -name DisableDomainCreds).DisableDomainCreds) { Write-Host -ForegroundColor Red "Do not allow storage of passwords and credentials for network authentication must be disabled" }
}
if ($artConfig.OS -eq "windows") {
if (Test-Path $artConfig.credFile) {
Write-Host "Credential File $($artConfig.credFile) already exists, not prompting for creation of a new one."
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $artConfig.user, (Get-Content $artConfig.credFile | ConvertTo-SecureString)
}
else {
# create credential file for the user since we aren't using a group managed service account
$cred = Get-Credential -UserName $artConfig.user -message "Enter password for $($artConfig.user) in order to create the runner scheduled task"
$cred.Password | ConvertFrom-SecureString | Out-File $artConfig.credFile
}
# setup scheduled task that will start the runner after each restart
# local security policy --> Local Policies --> Security Options --> Network access: Do not allow storage of passwords and credentials for network authentication must be disabled
$taskName = "KickOff-AtomicRunner"
Unregister-ScheduledTask $taskName -confirm:$false -ErrorAction Ignore
# Windows scheduled task includes a 20 minutes sleep then restart if the call to Invoke-KickoffAtomicRunner fails
# this occurs occassionally when Windows has issues logging into the runner user's account and logs in as a TEMP user
$taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-exec bypass -Command Invoke-KickoffAtomicRunner; Start-Sleep 1200; Restart-Computer -Force"
$taskPrincipal = New-ScheduledTaskPrincipal -UserId $artConfig.user
$delays = @(1, 2, 4, 8, 16, 32, 64) # using multiple triggers as a retry mechanism because the built-in retry mechanism doesn't work when the computer renaming causes AD replication delays
$triggers = @()
foreach ($delay in $delays) {
$trigger = New-ScheduledTaskTrigger -AtStartup
$trigger.Delay = "PT$delay`M"
$triggers += $trigger
}
$task = New-ScheduledTask -Action $taskAction -Principal $taskPrincipal -Trigger $triggers -Description "A task that runs 1 minute or later after boot to start the atomic test runner script"
try {
$null = Register-ScheduledTask -TaskName $taskName -InputObject $task -User $artConfig.user -Password $($cred.GetNetworkCredential().password) -ErrorAction Stop
}
catch {
if ($_.CategoryInfo.Category -eq "AuthenticationError") {
# remove the credential file if the password didn't work
Write-Error "The credentials you entered are incorrect. Please run the setup script again and double check the username and password."
Remove-Item $artConfig.credFile
}
else {
Throw $_
}
}
}
else {
# sets cronjob string using basepath from config.ps1
$pwshPath = which pwsh
$job = "@reboot root sleep 60;$pwshPath -Command Invoke-KickoffAtomicRunner"
$exists = cat /etc/crontab | Select-String -Quiet "KickoffAtomicRunner"
#checks if the Kickoff-AtomicRunner job exists. If not appends it to the system crontab.
if ($null -eq $exists) {
$(Write-Output "$job" >> /etc/crontab)
write-host "setting cronjob"
}
else {
write-host "cronjob already exists"
}
}
# Add Import-Module statement to the PowerShell profile
$root = Split-Path $PSScriptRoot -Parent
$pathToPSD1 = Join-Path $root "Invoke-AtomicRedTeam.psd1"
$importStatement = "Import-Module ""$pathToPSD1"" -Force"
New-Item $PROFILE -ErrorAction Ignore
$profileContent = Get-Content $profile
$line = $profileContent | Select-String ".*import-module.*invoke-atomicredTeam.psd1" | Select-Object -ExpandProperty Line
if ($line) {
$profileContent | ForEach-Object { $_.replace( $line, "$importStatement") } | Set-Content $profile
}
else {
Add-Content $profile $importStatement
}
# Install the Posh-SYLOG module if we are configured to use it and it is not already installed
if ((-not (Get-Module -ListAvailable "Posh-SYSLOG")) -and [bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort) {
write-verbose "Posh-SYSLOG"
Install-Module -Name Posh-SYSLOG -Scope CurrentUser -Force
}
# create the CSV schedule of atomics to run if it doesn't exist
if (-not (Test-Path $artConfig.scheduleFile)) {
Invoke-GenerateNewSchedule
}
$schedule = Get-Schedule
if ($null -eq $schedule) {
Write-Host -ForegroundColor Yellow "There are no tests enabled on the schedule, set the 'Enabled' column to 'True' for the atomic test that you want to run. The schedule file is found here: $($artConfig.scheduleFile)"
Write-Host -ForegroundColor Yellow "Rerun this setup script after updating the schedule"
}
else {
# Get the prereqs for all of the tests on the schedule
Invoke-AtomicRunner -GetPrereqs
}
}
636ad392-c610-47be-942b-1be5cc09afd6C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-SetupAtomicRunner.ps1
410615103150x0708478Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708477Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708476Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local994e1dfa-fe05-4345-a6fe-e46779aaf9bf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708475Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local994e1dfa-fe05-4345-a6fe-e46779aaf9bf2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708474Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-KickoffAtomicRunner {
#log rotation function
function Rotate-Log {
Param ($logPath, $max_filesize, $max_age)
$datetime = Get-Date -uformat "%Y-%m-%d-%H%M"
$log = Get-Item $logPath
if ($log.Length / 1MB -ge $max_filesize) {
Write-Host "file named $($log.name) is bigger than $max_filesize MB"
$newname = "$($log.Name)_${datetime}.arclog"
Rename-Item $log.PSPath $newname
Write-Host "Done rotating file"
}
$logdir_content = Get-ChildItem $artConfig.atomicLogsPath -filter "*.arclog"
$cutoff_date = (get-date).AddDays($max_age)
$logdir_content | ForEach-Object {
if ($_.LastWriteTime -gt $cutoff_date) {
Remove-Item $_
Write-Host "Removed $($_.PSPath)"
}
}
}
#Create log files as needed
$all_log_file = Join-Path $artConfig.atomicLogsPath "all-out-$($artConfig.basehostname).txt"
New-Item $all_log_file -ItemType file -ErrorAction Ignore
New-Item $artConfig.logFile -ItemType File -ErrorAction Ignore
#Rotate logs based on FileSize and Date max_filesize
$max_filesize = 200 #in MB
$max_file_age = 30 #in days
Rotate-Log $all_log_file $max_filesize $max_file_age
Rotate-Log $artConfig.logFile $max_filesize $max_file_age #no need to repeat this. Can reduce further.
# Optional additional delay before starting
Start-Sleep $artConfig.kickOffDelay.TotalSeconds
if ($artConfig.debug) { Invoke-AtomicRunner *>> $all_log_file } else { Invoke-AtomicRunner }
}
function LogRunnerMsg ($message) {
$now = "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date)
Write-Host -fore cyan $message
Add-Content $artConfig.logFile "$now`: $message"
}
994e1dfa-fe05-4345-a6fe-e46779aaf9bfC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-KickoffAtomicRunner.ps1
410615103150x0708473Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local68f7d6e8-6dfe-4d06-b726-910f635d2ab12b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708472Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local68f7d6e8-6dfe-4d06-b726-910f635d2ab12b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708471Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Invoke-FetchFromZip {
Param(
[Parameter(Mandatory = $true, Position = 0)]
[String]
$zipUrl,
[Parameter(Mandatory = $true, Position = 1)]
[String]
$targetFilter, # files that match this filter will be copied to the destinationPath, retaining their folder path from the zip
[Parameter(Mandatory = $true, Position = 2)]
[String]
$destinationPath
)
# load ZIP methods
Add-Type -AssemblyName System.IO.Compression.FileSystem
[System.Reflection.Assembly]::LoadWithPartialName('System.IO.Compression') | Out-Null
# read zip archive into memory
$ms = New-Object IO.MemoryStream
[Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12)
(New-Object System.Net.WebClient).OpenRead($zipUrl).copyto($ms)
$Zip = New-Object System.IO.Compression.ZipArchive($ms)
# ensure the output folder exists
$parent = split-path $destinationPath
$exists = Test-Path -Path $parent
if ($exists -eq $false) {
$null = New-Item -Path $destinationPath -ItemType Directory -Force
}
# find all files in ZIP that match the filter (i.e. file extension)
$zip.Entries |
Where-Object {
($_.FullName -like $targetFilter)
} |
ForEach-Object {
# extract the selected items from the ZIP archive
# and copy them to the out folder
$dstDir = Join-Path $destinationPath ($_.FullName | split-path | split-path -Leaf)
New-Item -ItemType Directory -Force -Path $dstDir | Out-Null
[System.IO.Compression.ZipFileExtensions]::ExtractToFile($_, (Join-Path $dstDir $_.Name), $true)
}
$zip.Dispose()
}
68f7d6e8-6dfe-4d06-b726-910f635d2ab1C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-FetchFromZip.ps1
410615103150x0708470Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald1c3f0cf-ced9-4b25-a415-135e73441fbe2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708469Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locald1c3f0cf-ced9-4b25-a415-135e73441fbe2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708468Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local22ecutionPlatform -eq "windows" -and ($test.executor.name -eq "sh" -or $test.executor.name -eq "bash")) {
Write-Verbose -Message "Unable to run sh or bash on $executionPlatform"
continue
}
if ( ("linux", "macos") -contains $executionPlatform -and $test.executor.name -eq "command_prompt") {
Write-Verbose -Message "Unable to run cmd.exe on $executionPlatform"
continue
}
}
if ($null -ne $TestNumbers) {
if (-Not ($TestNumbers -contains $testCount) ) { continue }
}
if ($null -ne $TestNames) {
if (-Not ($TestNames -contains $test.name) ) { continue }
}
if ($null -ne $TestGuids) {
if (-Not ($TestGuids -contains $test.auto_generated_guid) ) { continue }
}
$props = @{
Activity = 'Running Atomic Tests'
Status = 'Progress:'
PercentComplete = ($testCount / ($technique.atomic_tests).Count * 100)
}
Write-Progress @props
Write-Verbose -Message 'Determining manual tests'
if ($test.executor.name.Contains('manual')) {
Write-Verbose -Message 'Unable to run manual tests'
continue
}
$numAtomicsApplicableToPlatform++
$testId = "$AT-$testCount $($test.name)"
if ($ShowDetailsBrief) {
Write-KeyValue $testId
continue
}
if ($PromptForInputArgs) {
$InputArgs = Invoke-PromptForInputArgs $test.input_arguments
}
if ($ShowDetails) {
Show-Details $test $testCount $technique $InputArgs $PathToPayloads
continue
}
Write-Debug -Message 'Gathering final Atomic test command'
if ($CheckPrereqs) {
Write-KeyValue "CheckPrereq's for: " $testId
$failureReasons = Invoke-CheckPrereqs $test $isElevated $executionPlatform $InputArgs $PathToPayloads $TimeoutSeconds $session
Write-PrereqResults $FailureReasons $testId
}
elseif ($GetPrereqs) {
if ($(Test-IncludesTerraform $AT $testCount)) {
Build-TFVars $AT $testCount $InputArgs
}
Write-KeyValue "GetPrereq's for: " $testId
if ( $test.executor.elevation_required -and -not $isElevated) {
Write-Host -ForegroundColor Red "Elevation required but not provided"
}
if ($nul -eq $test.dependencies) { Write-KeyValue "No Preqs Defined"; continue }
foreach ($dep in $test.dependencies) {
$executor = Get-PrereqExecutor $test
$description = (Merge-InputArgs $dep.description $test $InputArgs $PathToPayloads).trim()
Write-KeyValue "Attempting to satisfy prereq: " $description
$final_command_prereq = Merge-InputArgs $dep.prereq_command $test $InputArgs $PathToPayloads
if ($executor -ne "powershell") { $final_command_prereq = ($final_command_prereq.trim()).Replace("`n", " && ") }
$final_command_get_prereq = Merge-InputArgs $dep.get_prereq_command $test $InputArgs $PathToPayloads
$res = Invoke-ExecuteCommand $final_command_prereq $executor $executionPlatform $TimeoutSeconds $session -Interactive:$true
if ($res.ExitCode -eq 0) {
Write-KeyValue "Prereq already met: " $description
}
else {
$res = Invoke-ExecuteCommand $final_command_get_prereq $executor $executionPlatform $TimeoutSeconds $session -Interactive:$Interactive
$res = Invoke-ExecuteCommand $final_command_prereq $executor $executionPlatform $TimeoutSeconds $session -Interactive:$true
if ($res.ExitCode -eq 0) {
Write-KeyValue "Prereq successfully met: " $description
}
else {
Write-Host -ForegroundColor Red "Failed to meet prereq: $description"
}
}
}
}
elseif ($Cleanup) {
Write-KeyValue "Executing cleanup for test: " $testId
$final_command = Merge-InputArgs $test.executor.cleanup_command $test $InputArgs $PathToPayloads
if (Get-Command 'Invoke-ARTPreAtomicCleanupHook' -errorAction SilentlyContinue) { Invoke-ARTPreAtomicCleanupHook $test $InputArgs }
$res = Invoke-ExecuteCommand $final_command $test.executor.name $executionPlatform $TimeoutSeconds $session -Interactive:$Interactive
Write-KeyValue "Done executing cleanup for test: " $testId
if (Get-Command 'Invoke-ARTPostAtomicCleanupHook' -errorAction SilentlyContinue) { Invoke-ARTPostAtomicCleanupHook $test $InputArgs }
if ($(Test-IncludesTerraform $AT $testCount)) {
Remove-TerraformFiles $AT $testCount
}
}
else {
Write-KeyValue "Executing test: " $testId
$startTime = Get-Date
$final_command = Merge-InputArgs $test.executor.command $test $InputArgs $PathToPayloads
if (Get-Command 'Invoke-ARTPreAtomicHook' -errorAction SilentlyContinue) { Invoke-ARTPreAtomicHook $test $InputArgs }
$res = Invoke-ExecuteCommand $final_command $test.executor.name $executionPlatform $TimeoutSeconds $session -Interactive:$Interactive
Write-Host "Exit code: $($res.ExitCode)"
if (Get-Command 'Invoke-ARTPostAtomicHook' -errorAction SilentlyContinue) { Invoke-ARTPostAtomicHook $test $InputArgs }
$stopTime = Get-Date
if ($isLoggingModuleSet) {
&"$LoggingModule\Write-ExecutionLog" $startTime $stopTime $AT $testCount $test.name $test.auto_generated_guid $test.executor.name $test.description $final_command $ExecutionLogPath $executionHostname $executionUser $res (-Not($IsLinux -or $IsMacOS))
}
Write-KeyValue "Done executing test: " $testId
}
} # End of foreach Test in single Atomic Technique
} # End of foreach Technique in Atomic Tests
if ($numAtomicsApplicableToPlatform -eq 0) {
Write-Host -ForegroundColor Yellow "Found $numAtomicsApplicableToPlatform atomic tests applicable to $executionPlatform platform for Technique $techniqueString"
}
} # End of Invoke-AtomicTestSingle function
if ($AtomicTechnique -eq "All") {
function Invoke-AllTests() {
$AllAtomicTests = New-Object System.Collections.ArrayList
Get-ChildItem $PathToAtomicsFolder -Directory -Filter T* | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileName($_.FullName)
if ( $currentTechnique -match "T[0-9]{4}.?([0-9]{3})?" ) { $AllAtomicTests.Add($currentTechnique) | Out-Null }
}
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTestSingle $_ }
}
if ( ($Force -or $CheckPrereqs -or $ShowDetails -or $ShowDetailsBrief -or $GetPrereqs) -or $psCmdlet.ShouldContinue( 'Do you wish to execute all tests?',
"Highway to the danger zone, Executing All Atomic Tests!" ) ) {
Invoke-AllTests
}
}
else {
Invoke-AtomicTestSingle $AtomicTechnique
}
if ($isLoggingModuleSet) {
&"$LoggingModule\Stop-ExecutionLog" $startTime $ExecutionLogPath $executionHostname $executionUser (-Not($IsLinux -or $IsMacOS))
}
} # End of PROCESS block
END { } # Intentionally left blank and can be removed
}
d1c3f0cf-ced9-4b25-a415-135e73441fbeC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicTest.ps1
4104152150x0708467Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local12function Invoke-AtomicTest {
[CmdletBinding(DefaultParameterSetName = 'technique',
SupportsShouldProcess = $true,
PositionalBinding = $false,
ConfirmImpact = 'Medium')]
Param(
[Parameter(Mandatory = $true,
Position = 0,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[ValidateNotNullOrEmpty()]
[String[]]
$AtomicTechnique,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$ShowDetails,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$ShowDetailsBrief,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$anyOS,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[String[]]
$TestNumbers,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[String[]]
$TestNames,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[String[]]
$TestGuids,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[String]
$PathToAtomicsFolder = $( if ($IsLinux -or $IsMacOS) { $Env:HOME + "/AtomicRedTeam/atomics" } else { $env:HOMEDRIVE + "\AtomicRedTeam\atomics" }),
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$CheckPrereqs = $false,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$PromptForInputArgs = $false,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$GetPrereqs = $false,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$Cleanup = $false,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[switch]
$NoExecutionLog = $false,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[String]
$ExecutionLogPath = $( if ($IsLinux -or $IsMacOS) { "/tmp/Invoke-AtomicTest-ExecutionLog.csv" } else { "$env:TEMP\Invoke-AtomicTest-ExecutionLog.csv" }),
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[switch]
$Force,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[HashTable]
$InputArgs,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[Int]
$TimeoutSeconds = 120,
[Parameter(Mandatory = $false, ParameterSetName = 'technique')]
[System.Management.Automation.Runspaces.PSSession[]]$Session,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$Interactive = $false,
[Parameter(Mandatory = $false,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$KeepStdOutStdErrFiles = $false,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[String]
$LoggingModule,
[Parameter(Mandatory = $false,
ParameterSetName = 'technique')]
[switch]
$SupressPathToAtomicsFolder = $false
)
BEGIN { } # Intentionally left blank and can be removed
PROCESS {
$PathToAtomicsFolder = (Resolve-Path $PathToAtomicsFolder).Path
Write-Verbose -Message 'Attempting to run Atomic Techniques'
if (-not $supressPathToAtomicsFolder) { Write-Host -ForegroundColor Cyan "PathToAtomicsFolder = $PathToAtomicsFolder`n" }
$executionPlatform, $isElevated, $tmpDir, $executionHostname, $executionUser = Get-TargetInfo $Session
$PathToPayloads = if ($Session) { "$tmpDir`AtomicRedTeam" } else { $PathToAtomicsFolder }
# Since there might a comma(T1559-1,2,3) Powershell takes it as array.
# So converting it back to string.
if ($AtomicTechnique -is [array]) {
$AtomicTechnique = $AtomicTechnique -join ","
}
# Splitting Atomic Technique short form into technique and test numbers.
$AtomicTechniqueParams = ($AtomicTechnique -split '-')
$AtomicTechnique = $AtomicTechniqueParams[0]
if ($AtomicTechniqueParams.Length -gt 1) {
$ShortTestNumbers = $AtomicTechniqueParams[-1]
}
if ($null -eq $TestNumbers -and $null -ne $ShortTestNumbers) {
$TestNumbers = $ShortTestNumbers -split ','
}
$isLoggingModuleSet = $false
if (-not $NoExecutionLog) {
$isLoggingModuleSet = $true
if (-not $PSBoundParameters.ContainsKey('LoggingModule')) {
# no logging module explicitly set
# syslog logger
$syslogOptionsSet = [bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort
if ( $artConfig.LoggingModule -eq "Syslog-ExecutionLogger" -or (($artConfig.LoggingModule -eq '') -and $syslogOptionsSet) ) {
if ($syslogOptionsSet) {
$LoggingModule = "Syslog-ExecutionLogger"
}
else {
Write-Host -Fore Yellow "Config.ps1 specified: Syslog-ExecutionLogger, but the syslogServer and syslogPort must be specified. Using the default logger instead"
$LoggingModule = "Default-ExecutionLogger"
}
}
elseif (-not [bool]$artConfig.LoggingModule) {
# loggingModule is blank (not set), so use the default logger
$LoggingModule = "Default-ExecutionLogger"
}
else {
$LoggingModule = $artConfig.LoggingModule
}
}
}
if ($isLoggingModuleSet) {
if (Get-Module -name $LoggingModule) {
Write-Verbose "Using Logger: $LoggingModule"
}
else {
Write-Host -Fore Yellow "Logger not found: ", $LoggingModule
}
# Change the defult logFile extension from csv to json and add a timestamp if using the Attire-ExecutionLogger
if ($LoggingModule -eq "Attire-ExecutionLogger") { $ExecutionLogPath = $ExecutionLogPath.Replace("Invoke-AtomicTest-ExecutionLog.csv", "Invoke-AtomicTest-ExecutionLog-timestamp.json") }
$ExecutionLogPath = $ExecutionLogPath.Replace("timestamp", $(Get-Date -UFormat %s))
if (Get-Command "$LoggingModule\Start-ExecutionLog" -erroraction silentlycontinue) {
if (Get-Command "$LoggingModule\Write-ExecutionLog" -erroraction silentlycontinue) {
if (Get-Command "$LoggingModule\Stop-ExecutionLog" -erroraction silentlycontinue) {
Write-Verbose "All logging commands found"
}
else {
Write-Host "Stop-ExecutionLog not found or loaded from the wrong module"
return
}
}
else {
Write-Host "Write-ExecutionLog not found or loaded from the wrong module"
return
}
}
else {
Write-Host "Start-ExecutionLog not found or loaded from the wrong module"
return
}
# Here we're rebuilding an equivalent command line to put in the logs
$commandLine = "Invoke-AtomicTest $AtomicTechnique"
if ($ShowDetails -ne $false) {
$commandLine = "$commandLine -ShowDetails $ShowDetails"
}
if ($ShowDetailsBrief -ne $false) {
$commandLine = "$commandLine -ShowDetailsBrief $ShowDetailsBrief"
}
if ($null -ne $TestNumbers) {
$commandLine = "$commandLine -TestNumbers $TestNumbers"
}
if ($null -ne $TestNames) {
$commandLine = "$commandLine -TestNames $TestNames"
}
if ($null -ne $TestGuids) {
$commandLine = "$commandLine -TestGuids $TestGuids"
}
$commandLine = "$commandLine -PathToAtomicsFolder $PathToAtomicsFolder"
if ($CheckPrereqs -ne $false) {
$commandLine = "$commandLine -CheckPrereqs $CheckPrereqs"
}
if ($PromptForInputArgs -ne $false) {
$commandLine = "$commandLine -PromptForInputArgs $PromptForInputArgs"
}
if ($GetPrereqs -ne $false) {
$commandLine = "$commandLine -GetPrereqs $GetPrereqs"
}
if ($Cleanup -ne $false) {
$commandLine = "$commandLine -Cleanup $Cleanup"
}
if ($NoExecutionLog -ne $false) {
$commandLine = "$commandLine -NoExecutionLog $NoExecutionLog"
}
$commandLine = "$commandLine -ExecutionLogPath $ExecutionLogPath"
if ($Force -ne $false) {
$commandLine = "$commandLine -Force $Force"
}
if ($InputArgs -ne $null) {
$commandLine = "$commandLine -InputArgs $InputArgs"
}
$commandLine = "$commandLine -TimeoutSeconds $TimeoutSeconds"
if ($PSBoundParameters.ContainsKey('Session')) {
if ( $null -eq $Session ) {
Write-Error "The provided session is null and cannot be used."
continue
}
else {
$commandLine = "$commandLine -Session $Session"
}
}
if ($Interactive -ne $false) {
$commandLine = "$commandLine -Interactive $Interactive"
}
if ($KeepStdOutStdErrFiles -ne $false) {
$commandLine = "$commandLine -KeepStdOutStdErrFiles $KeepStdOutStdErrFiles"
}
if ($null -ne $LoggingModule) {
$commandLine = "$commandLine -LoggingModule $LoggingModule"
}
$startTime = Get-Date
&"$LoggingModule\Start-ExecutionLog" $startTime $ExecutionLogPath $executionHostname $executionUser $commandLine (-Not($IsLinux -or $IsMacOS))
}
function Platform-IncludesCloud {
$cloud = ('office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp')
foreach ($platform in $test.supported_platforms) {
if ($cloud -contains $platform) {
return $true
}
}
return $false
}
function Test-IncludesTerraform($AT, $testCount) {
$AT = $AT.ToUpper()
$pathToTerraform = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount\$AT-$testCount.tf"
$cloud = ('iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp')
foreach ($platform in $test.supported_platforms) {
if ($cloud -contains $platform) {
return $(Test-Path -Path $pathToTerraform)
}
}
return $false
}
function Build-TFVars($AT, $testCount, $InputArgs) {
$tmpDirPath = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount"
if ($InputArgs) {
$destinationVarsPath = Join-Path "$tmpDirPath" "terraform.tfvars.json"
$InputArgs | ConvertTo-Json | Out-File -FilePath $destinationVarsPath
}
}
function Remove-TerraformFiles($AT, $testCount) {
$tmpDirPath = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount"
Write-Host $tmpDirPath
$tfStateFile = Join-Path $tmpDirPath "terraform.tfstate"
$tfvarsFile = Join-Path $tmpDirPath "terraform.tfvars.json"
if ($(Test-Path $tfvarsFile)) {
Remove-Item -LiteralPath $tfvarsFile -Force
}
if ($(Test-Path $tfStateFile)) {
(Get-ChildItem -Path $tmpDirPath).Fullname -match "terraform.tfstate*" | Remove-Item -Force
}
}
function Invoke-AtomicTestSingle ($AT) {
$AT = $AT.ToUpper()
$pathToYaml = Join-Path $PathToAtomicsFolder "\$AT\$AT.yaml"
if (Test-Path -Path $pathToYaml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml }
else {
Write-Host -Fore Red "ERROR: $PathToYaml does not exist`nCheck your Atomic Number and your PathToAtomicsFolder parameter"
return
}
$techniqueCount = 0
$numAtomicsApplicableToPlatform = 0
$techniqueString = ""
foreach ($technique in $AtomicTechniqueHash) {
$techniqueString = $technique.attack_technique[0]
$techniqueCount++
$props = @{
Activity = "Running $($technique.display_name.ToString()) Technique"
Status = 'Progress:'
PercentComplete = ($techniqueCount / ($AtomicTechniqueHash).Count * 100)
}
Write-Progress @props
Write-Debug -Message "Gathering tests for Technique $technique"
$testCount = 0
foreach ($test in $technique.atomic_tests) {
Write-Verbose -Message 'Determining tests for target platform'
$testCount++
if (-not $anyOS) {
if ( -not $(Platform-IncludesCloud) -and -Not $test.supported_platforms.Contains($executionPlatform) ) {
Write-Verbose -Message "Unable to run non-$executionPlatform tests"
continue
}
if ( $exd1c3f0cf-ced9-4b25-a415-135e73441fbeC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicTest.ps1
410615103150x0708466Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6030dc82-3f3f-4a81-8bdb-f280f4bc004a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708465Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708464Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfb40bc82-a043-4c8b-aa93-a1bc6712532f2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708463Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Loop through all atomic yaml files to load into list of objects
function Loop($fileList, $atomicType) {
$AllAtomicTests = New-Object System.Collections.ArrayList
$fileList | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName)
if ( $currentTechnique -ne "index" ) {
$technique = Get-AtomicTechnique -Path $_.FullName
if ($technique) {
$technique.atomic_tests | ForEach-Object -Process {
$test = New-Object -TypeName psobject
$test | Add-Member -MemberType NoteProperty -Name Order -Value $null
$test | Add-Member -MemberType NoteProperty -Name Technique -Value ($technique.attack_technique -join "|")
$test | Add-Member -MemberType NoteProperty -Name TestName -Value $_.name
$test | Add-Member -MemberType NoteProperty -Name auto_generated_guid -Value $_.auto_generated_guid
$test | Add-Member -MemberType NoteProperty -Name supported_platforms -Value ($_.supported_platforms -join "|")
$test | Add-Member -MemberType NoteProperty -Name TimeoutSeconds -Value 120
$test | Add-Member -MemberType NoteProperty -Name InputArgs -Value ""
$test | Add-Member -MemberType NoteProperty -Name AtomicsFolder -Value $atomicType
$test | Add-Member -MemberType NoteProperty -Name enabled -Value $false
$test | Add-Member -MemberType NoteProperty -Name notes -Value ""
# Added dummy variable to grab the index values returned by appending to an arraylist so they don't get written to the screen
$dummy = $AllAtomicTests.Add(($test))
}
}
}
}
return $AllAtomicTests
}
function Get-NewSchedule() {
if (Test-Path $artConfig.PathToPublicAtomicsFolder) {
$publicAtomicFiles = Get-ChildItem $artConfig.PathToPublicAtomicsFolder -Recurse -Exclude Indexes -Filter T*.yaml -File
$publicAtomics = Loop $publicAtomicFiles "Public"
}
else {
Write-Host -ForegroundColor Yellow "Public Atomics Folder not Found $($artConfig.PathToPublicAtomicsFolder)"
}
if (Test-Path $artConfig.PathToPrivateAtomicsFolder) {
$privateAtomicFiles = Get-ChildItem $artConfig.PathToPrivateAtomicsFolder -Recurse -Exclude Indexes -Filter T*.yaml -File
$privateAtomics = Loop $privateAtomicFiles "Private"
}
else {
Write-Verbose "Private Atomics Folder not Found $($artConfig.PathToPrivateAtomicsFolder)"
}
$AllAtomicTests = New-Object System.Collections.ArrayList
try { $AllAtomicTests.AddRange($publicAtomics) }catch {}
try { $AllAtomicTests.AddRange($privateAtomics) }catch {}
return $AllAtomicTests
}
function Get-ScheduleRefresh() {
$AllAtomicTests = Get-NewSchedule
$schedule = Get-Schedule $null $false # get schedule, including inactive (ie not filtered)
# Creating new schedule object for updating changes in atomics
$newSchedule = New-Object System.Collections.ArrayList
# Check if any tests haven't been added to schedule and add them
$update = $false
foreach ($guid in $AllAtomicTests | Select-Object -ExpandProperty auto_generated_guid) {
$fresh = $AllAtomicTests | Where-Object { $_.auto_generated_guid -eq $guid }
$old = $schedule | Where-Object { $_.auto_generated_guid -eq $guid }
if (!$old) {
$update = $true
$newSchedule += $fresh
}
# Updating schedule with changes
else {
if ($fresh -is [array]) {
$fresh = $fresh[0]
LogRunnerMsg "Duplicated auto_generated_guid found $($fresh.auto_generated_guid) with technique $($fresh.Technique).
`nCannot Continue Execution. System Exit"
Write-Host -ForegroundColor Yellow "Duplicated auto_generated_guid found $($fresh.auto_generated_guid) with technique $($fresh.Technique).
`nCannot Continue Execution. System Exit"; Start-Sleep 10
exit
}
$old.Technique = $fresh.Technique
$old.TestName = $fresh.TestName
$old.supported_platforms = $fresh.supported_platforms
$update = $true
$newSchedule += $old
}
}
if ($update) {
$newSchedule | Export-Csv $artConfig.scheduleFile
LogRunnerMsg "Schedule has been updated with new tests."
}
return $newSchedule
}
function Get-Schedule($listOfAtomics, $filtered = $true, $testGuids = $null) {
if ($listOfAtomics -or (Test-Path($artConfig.scheduleFile))) {
if ($listOfAtomics) {
$schedule = Import-Csv $listOfAtomics
}
else {
$schedule = Import-Csv $artConfig.scheduleFile
}
# Filter schedule to either Active/Supported Platform or TestGuids List
if ($TestGuids) {
$schedule = $schedule | Where-Object {
($Null -ne $TestGuids -and $TestGuids -contains $_.auto_generated_guid)
}
}
elseif ($filtered) {
$schedule = $schedule | Where-Object {
($_.enabled -eq $true -and ($_.supported_platforms -like "*" + $artConfig.OS + "*" ))
}
}
}
else {
Write-Host -ForegroundColor Yellow "Couldn't find schedule file ($($artConfig.scheduleFile)) Update the path to the schedule file in the config or generate a new one with 'Invoke-GenerateNewSchedule'"
}
if (($null -eq $schedule) -or ($schedule.length -eq 0)) { Write-Host -ForegroundColor Yellow "No active tests were found. Edit the 'enabled' column of your schedule file and set some to enabled (True)"; return $null }
return $schedule
}
function Invoke-GenerateNewSchedule() {
#create AtomicRunner-Logs directories if they don't exist
New-Item -ItemType Directory $artConfig.atomicLogsPath -ErrorAction Ignore | Out-Null
New-Item -ItemType Directory $artConfig.runnerFolder -ErrorAction Ignore | Out-Null
LogRunnerMsg "Generating new schedule: $($artConfig.scheduleFile)"
$schedule = Get-NewSchedule
$schedule | Export-Csv $artConfig.scheduleFile -NoTypeInformation
Write-Host -ForegroundColor Green "Schedule written to $($artConfig.scheduleFile)"
}
function Invoke-RefreshExistingSchedule() {
LogRunnerMsg "Refreshing existing schedule: $($artConfig.scheduleFile)"
$schedule = Get-ScheduleRefresh
$schedule | Export-Csv $artConfig.scheduleFile -NoTypeInformation
Write-Host -ForegroundColor Green "Refreshed schedule written to $($artConfig.scheduleFile)"
}
fb40bc82-a043-4c8b-aa93-a1bc6712532fC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-RunnerScheduleMethods.ps1
410515102150x0708462Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6030dc82-3f3f-4a81-8bdb-f280f4bc004a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708461Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11. "$PSScriptRoot\Invoke-RunnerScheduleMethods.ps1"
function Invoke-AtomicRunner {
[CmdletBinding(
SupportsShouldProcess = $true,
PositionalBinding = $false,
ConfirmImpact = 'Medium')]
Param(
[Parameter(Mandatory = $false)]
[switch]
$ShowDetails,
[Parameter(Mandatory = $false)]
[switch]
$CheckPrereqs,
[Parameter(Mandatory = $false)]
[switch]
$GetPrereqs,
[Parameter(Mandatory = $false)]
[switch]
$Cleanup,
[Parameter(Mandatory = $false)]
[switch]
$ShowDetailsBrief,
[Parameter(Mandatory = $false)]
[String]
$LoggingModule,
[Parameter(Mandatory = $false)]
$ListOfAtomics,
[parameter(Mandatory = $false)]
[ValidateRange(0, [int]::MaxValue)]
[int] $PauseBetweenAtomics,
[Parameter(Mandatory = $false, ValueFromRemainingArguments = $true)]
$OtherArgs
)
Begin { }
Process {
function Get-GuidFromHostName( $basehostname ) {
$guid = [System.Net.Dns]::GetHostName() -replace $($basehostname + "-"), ""
if (!$guid) {
LogRunnerMsg "Hostname has not been updated or could not parse out the Guid: " + $guid
return
}
# Confirm hostname contains a guid
[regex]$guidRegex = '(?im)^[{(]?[0-9A-F]{8}[-]?(?:[0-9A-F]{4}[-]?){3}[0-9A-F]{12}[)}]?$'
if ($guid -match $guidRegex) { return $guid } else { return "" }
}
function Invoke-AtomicTestFromScheduleRow ($tr, $Cleanup = $false) {
$theArgs = $tr.InputArgs
if ($theArgs.GetType().Name -ne "Hashtable") {
$tr.InputArgs = ConvertFrom-StringData -StringData $theArgs
}
$sc = $tr.AtomicsFolder
#Run the Test based on if scheduleContext is 'private' or 'public'
if (($sc -eq 'public') -or ($null -eq $sc)) {
Invoke-AtomicTest $tr.Technique -TestGuids $tr.auto_generated_guid -InputArgs $tr.InputArgs -TimeoutSeconds $tr.TimeoutSeconds -ExecutionLogPath $artConfig.execLogPath -PathToAtomicsFolder $artConfig.PathToPublicAtomicsFolder @htvars -Cleanup:$Cleanup -supressPathToAtomicsFolder
}
elseif ($sc -eq 'private') {
Invoke-AtomicTest $tr.Technique -TestGuids $tr.auto_generated_guid -InputArgs $tr.InputArgs -TimeoutSeconds $tr.TimeoutSeconds -ExecutionLogPath $artConfig.execLogPath -PathToAtomicsFolder $artConfig.PathToPrivateAtomicsFolder @htvars -Cleanup:$Cleanup -supressPathToAtomicsFolder
}
if ($timeToPause -gt 0) {
Write-Host "Sleeping for $timeToPause seconds..."
Start-Sleep $timeToPause
}
elseif ($timeToPause -eq 0) {
Write-Host 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
}
}
function Rename-ThisComputer ($tr, $basehostname) {
$hash = $tr.auto_generated_guid
$newHostName = "$basehostname-$hash"
$shouldRename = $true
if ( $newHostName -eq [System.Net.Dns]::GetHostName()) { $shouldRename = $false }
if ($artConfig.verbose) { LogRunnerMsg "Setting hostname to $newHostName" }
If (Test-Path $artConfig.stopFile) {
LogRunnerMsg "exiting script because $($artConfig.stopFile) exists"
exit
}
if ($IsLinux) {
if ($shouldRename) { Invoke-Expression $("hostnamectl set-hostname $newHostName") }
Invoke-Expression $("shutdown -r now")
}
if ($IsMacOS) {
if ($shouldRename) {
Invoke-Expression $("/usr/sbin/scutil --set HostName $newHostName")
Invoke-Expression $("/usr/sbin/scutil --set ComputerName $newHostName")
Invoke-Expression $("/usr/sbin/scutil --set LocalHostName $newHostName")
}
Invoke-Expression $("/sbin/shutdown -r now")
}
else {
if ($debug) { LogRunnerMsg "Debug: pretending to rename the computer to $newHostName"; exit }
if (-not $shouldRename) { Restart-Computer -Force }
if ($artConfig.gmsaAccount) {
$retry = $true; $count = 0
while ($retry) {
# add retry loop to avoid this occassional error "The verification of the MSA failed with error 1355"
Invoke-Command -ComputerName '127.0.0.1' -ConfigurationName 'RenameRunnerEndpoint' -ScriptBlock { Rename-Computer -NewName $Using:newHostName -Force -Restart }
Start-Sleep 120; $count = $count + 1
LogRunnerMsg "Retrying computer rename $count"
if ($count -gt 15) { $retry = $false }
}
}
else {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $artConfig.user, (Get-Content $artConfig.credFile | ConvertTo-SecureString)
try {
Rename-Computer -NewName $newHostName -Force -DomainCredential $cred -Restart -ErrorAction stop
}
catch {
if ($artConfig.verbose) { LogRunnerMsg $_ }
try { Rename-Computer -NewName $newHostName -Force -LocalCredential $cred -Restart -ErrorAction stop } catch { if ($artConfig.verbose) { LogRunnerMsg $_ } }
}
}
Start-Sleep -seconds 30
LogRunnerMsg "uh oh, still haven't restarted - should never get to here"
$retry = $true; $count = 0
while ($retry) {
Restart-Computer -Force
Start-Sleep 300; $count = $count + 1
LogRunnerMsg "Rename retry $count"
if ($count -gt 60) { $retry = $false }
}
exit
}
}
function Get-TimingVariable ($sched) {
$atcount = $sched.Count
if ($null -eq $atcount) { $atcount = 1 }
$scheduleTimeSpanSeconds = $artConfig.scheduleTimeSpan.TotalSeconds
$secondsForAllTestsToComplete = $scheduleTimeSpanSeconds
$sleeptime = ($secondsForAllTestsToComplete / $atcount) - 120 - $artConfig.kickOffDelay.TotalSeconds # 1 minute for restart and 1 minute delay for scheduled task and an optional kickoff delay
if ($sleeptime -lt 120) { $sleeptime = 120 } # minimum 2 minute sleep time
return $sleeptime
}
# Convert OtherArgs to hashtable so we can pass it through to the call to Invoke-AtomicTest
$htvars = @{}
if ($OtherArgs) {
$OtherArgs | ForEach-Object {
if ($_ -match '^-') {
#New parameter
$lastvar = $_ -replace '^-'
$htvars[$lastvar] = $true
}
else {
#Value
$htvars[$lastvar] = $_
}
}
}
if ($PSBoundParameters.ContainsKey("PauseBetweenAtomics")) {
$timeToPause = $PauseBetweenAtomics
}
else {
$timeToPause = $null
}
$htvars += [Hashtable]$PSBoundParameters
$htvars.Remove('listOfAtomics') | Out-Null
$htvars.Remove('OtherArgs') | Out-Null
$htvars.Remove('Cleanup') | Out-Null
$htvars.Remove('PauseBetweenAtomics') | Out-Null
$schedule = Get-Schedule $listOfAtomics
# If the schedule is empty, end process
if (-not $schedule) {
LogRunnerMsg "No test guid's or enabled tests."
return
}
# timing variables
$SleepTillCleanup = Get-TimingVariable $schedule
# Perform cleanup, Showdetails or Prereq stuff for all scheduled items and then exit
if ($Cleanup -or $ShowDetails -or $CheckPrereqs -or $ShowDetailsBrief -or $GetPrereqs -or $listOfAtomics) {
$schedule | ForEach-Object {
Invoke-AtomicTestFromScheduleRow $_ $Cleanup
}
return
}
# exit if file stop.txt is found
If (Test-Path $artConfig.stopFile) {
LogRunnerMsg "exiting script because $($artConfig.stopFile) does exist"
Write-Host -ForegroundColor Yellow "Exiting script because $($artConfig.stopFile) does exist."; Start-Sleep 10;
exit
}
# Find current test to run
$guid = Get-GuidFromHostName $artConfig.basehostname
if ([string]::IsNullOrWhiteSpace($guid)) {
LogRunnerMsg "Test Guid ($guid) was null, using next item in the schedule"
}
else {
if ($artConfig.verbose) { LogRunnerMsg "Found Test: $guid specified in hostname" }
$sp = [Collections.Generic.List[Object]]$schedule
$currentIndex = $sp.FindIndex( { $args[0].auto_generated_guid -eq $guid })
if (($null -ne $currentIndex) -and ($currentIndex -ne -1)) {
$tr = $schedule[$currentIndex]
}
if ($null -ne $tr) {
# run the atomic test and exit
Invoke-AtomicTestFromScheduleRow $tr
# Cleanup after running test
Write-Host -Fore cyan "Sleeping for $SleepTillCleanup seconds before cleaning up for $($tr.Technique) $($tr.auto_generated_guid) "; Start-Sleep -Seconds $SleepTillCleanup
Invoke-AtomicTestFromScheduleRow $tr $true
}
else {
LogRunnerMsg "Could not find Test: $guid in schedule. Please update schedule to run this test."
}
}
# Load next scheduled test before renaming computer
$nextIndex += $currentIndex + 1
if ($nextIndex -ge ($schedule.count)) {
$tr = $schedule[0]
}
else {
$tr = $schedule[$nextIndex]
}
if ($null -eq $tr) {
LogRunnerMsg "Could not determine the next row to execute from the schedule, Starting from 1st row";
$tr = $schedule[0]
}
#Rename Computer and Restart
Rename-ThisComputer $tr $artConfig.basehostname
}
}
6030dc82-3f3f-4a81-8bdb-f280f4bc004aC:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicRunner.ps1
410615103150x0708460Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala15fd9e1-a07a-4061-a107-0f4bd41b336d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708459Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala15fd9e1-a07a-4061-a107-0f4bd41b336d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708458Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Get-PreferredIPAddress($isWindows) {
if ($isWindows) {
return (Get-NetIPAddress | Where-Object { $_.PrefixOrigin -ne "WellKnown" }).IPAddress
}
elseif ($IsMacOS) {
return ifconfig -l | xargs -n1 ipconfig getifaddr
}
elseif ($IsLinux) {
return ip -4 -br addr show | sed -n -e 's/^.*UP\s* //p' | cut -d "/" -f 1
}
else {
return ''
}
}
a15fd9e1-a07a-4061-a107-0f4bd41b336dC:\AtomicRedTeam\invoke-atomicredteam\Public\Get-PreferredIPAddress.ps1
410615103150x0708457Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8aa15ef8-8041-48ae-b1ee-b542036e97602b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708456Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8aa15ef8-8041-48ae-b1ee-b542036e97602b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708455Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local22 return
}
$ExecutorInstance = [AtomicExecutorDefault]::new()
$ExecutorInstance.command = $AtomicTest['executor']['command']
$StringsWithPotentialInputArgs.Add($AtomicTest['executor']['command'])
}
# cleanup_command element is optional
if ($AtomicTest['executor'].ContainsKey('cleanup_command')) {
$ExecutorInstance.cleanup_command = $AtomicTest['executor']['cleanup_command']
$StringsWithPotentialInputArgs.Add($AtomicTest['executor']['cleanup_command'])
}
# elevation_required element is optional
if ($AtomicTest['executor'].ContainsKey('elevation_required')) {
if (-not ($AtomicTest['executor']['elevation_required'] -is [Bool])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.elevation_required' element must be a boolean."
return
}
$ExecutorInstance.elevation_required = $AtomicTest['executor']['elevation_required']
}
else {
# if elevation_required is not present, default to false
$ExecutorInstance.elevation_required = $False
}
$InputArgumentNames = $null
# Get all input argument names
$InputArgumentNames = $InputArguments.Keys
# Extract all input arguments names from the executor
# Potential places where input arguments can be populated:
# - Dependency description
# - Dependency prereq_command
# - Dependency get_prereq_command
# - Executor steps
# - Executor command
# - Executor cleanup_command
$Regex = [Regex] '#\{(?<ArgName>[^}]+)\}'
[String[]] $InputArgumentNamesFromExecutor = $StringsWithPotentialInputArgs |
ForEach-Object { $Regex.Matches($_) } |
Select-Object -ExpandProperty Groups |
Where-Object { $_.Name -eq 'ArgName' } |
Select-Object -ExpandProperty Value |
Sort-Object -Unique
# Validate that all executor input arg names are defined input arg names.
if ($InputArgumentNamesFromExecutor.Count) {
$InputArgumentNamesFromExecutor | ForEach-Object {
if ($InputArgumentNames -notcontains $_) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] The following input argument was specified but is not defined: '$_'"
return
}
}
}
# Validate that all defined input args are utilized at least once in the executor.
if ($InputArgumentNames.Count) {
$InputArgumentNames | ForEach-Object {
if ($InputArgumentNamesFromExecutor -notcontains $_) {
# Write a warning since this scenario is not considered a breaking change
Write-Warning "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] The following input argument is defined but not utilized: '$_'."
}
}
}
$ExecutorInstance.name = $AtomicTest['executor']['name']
$AtomicTestInstance.executor = $ExecutorInstance
$AtomicTests[$i] = $AtomicTestInstance
}
$AtomicInstance.atomic_tests = $AtomicTests
$AtomicInstance
}
}
# Tab completion for Atomic Tests
function Get-TechniqueNumbers {
$PathToAtomicsFolder = if ($IsLinux -or $IsMacOS) { $Env:HOME + "/AtomicRedTeam/atomics" } else { $env:HOMEDRIVE + "\AtomicRedTeam\atomics" }
$techniqueNumbers = Get-ChildItem $PathToAtomicsFolder -Directory |
ForEach-Object { $_.BaseName }
return $techniqueNumbers
}
Register-ArgumentCompleter -CommandName 'Invoke-AtomicTest' -ParameterName 'AtomicTechnique' -ScriptBlock {
param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameter)
Get-TechniqueNumbers | Where-Object { $_ -like "$wordToComplete*" } |
ForEach-Object {
New-Object System.Management.Automation.CompletionResult $_, $_, 'ParameterValue', "Technique number $_"
}
}
8aa15ef8-8041-48ae-b1ee-b542036e9760C:\AtomicRedTeam\invoke-atomicredteam\Public\Get-AtomicTechnique.ps1
4104152150x0708454Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local12filter Get-AtomicTechnique {
<#
.SYNOPSIS
Retrieve and validate an atomic technique.
.DESCRIPTION
Get-AtomicTechnique retrieves and validates one or more atomic techniques. Get-AtomicTechnique supports retrieval from YAML files or from a raw YAML string.
This function facilitates the following use cases:
1) Validation prior to execution of atomic tests.
2) Writing code to reason over one or more atomic techniques/tests.
3) Representing atomic techniques/tests in a format that is more conducive to PowerShell. ConvertFrom-Yaml returns a large, complicated hashtable that is difficult to work with and reason over. Get-AtomicTechnique helps abstract those challenges away.
4) Representing atomic techniques/tests in a format that can be piped directly to ConvertTo-Yaml.
.PARAMETER Path
Specifies the path to an atomic technique YAML file. Get-AtomicTechnique expects that the file extension be .yaml or .yml and that it is well-formed YAML content.
.PARAMETER Yaml
Specifies a single string consisting of raw atomic technique YAML.
.EXAMPLE
Get-ChildItem -Path C:\atomic-red-team\atomics\* -Recurse -Include 'T*.yaml' | Get-AtomicTechnique
.EXAMPLE
Get-Item C:\atomic-red-team\atomics\T1117\T1117.yaml | Get-AtomicTechnique
.EXAMPLE
Get-AtomicTechnique -Path C:\atomic-red-team\atomics\T1117\T1117.yaml
.EXAMPLE
$Yaml = @'
---
attack_technique: T1152
display_name: Launchctl
atomic_tests:
- name: Launchctl
description: |
Utilize launchctl
supported_platforms:
- macos
executor:
name: sh
command: |
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'@
Get-AtomicTechnique -Yaml $Yaml
.INPUTS
System.IO.FileInfo
The output of Get-Item and Get-ChildItem can be piped directly into Get-AtomicTechnique.
.OUTPUTS
AtomicTechnique
Outputs an object representing a parsed and validated atomic technique.
#>
[CmdletBinding(DefaultParameterSetName = 'FilePath')]
[OutputType([AtomicTechnique])]
param (
[Parameter(Mandatory, ValueFromPipelineByPropertyName, ParameterSetName = 'FilePath')]
[String]
[Alias('FullName')]
[ValidateScript({ Test-Path -Path $_ -Include '*.yaml', '*.yml' })]
$Path,
[Parameter(Mandatory, ParameterSetName = 'Yaml')]
[String]
[ValidateNotNullOrEmpty()]
$Yaml
)
switch ($PSCmdlet.ParameterSetName) {
'FilePath' {
$ResolvedPath = Resolve-Path -Path $Path
$YamlContent = Get-Content -Path $ResolvedPath -Raw
$ErrorStringPrefix = "[$($ResolvedPath)]"
}
'Yaml' {
$YamlContent = $Yaml
$ErrorStringPrefix = ''
}
}
$ParsedYaml = $null
$ValidSupportedPlatforms = @('windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp')
$ValidInputArgTypes = @('Path', 'Url', 'String', 'Integer', 'Float')
$ValidExecutorTypes = @('command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl')
# ConvertFrom-Yaml will throw a .NET exception rather than a PowerShell error.
# Capture the exception and convert to PowerShell error so that the user can decide
# how to handle the error.
try {
[Hashtable] $ParsedYaml = ConvertFrom-Yaml -Yaml $YamlContent
}
catch {
Write-Error $_
}
if ($ParsedYaml) {
# The document was well-formed YAML. Now, validate against the atomic red schema
$AtomicInstance = [AtomicTechnique]::new()
if (-not $ParsedYaml.Count) {
Write-Error "$ErrorStringPrefix YAML file has no elements."
return
}
if (-not $ParsedYaml.ContainsKey('attack_technique')) {
Write-Error "$ErrorStringPrefix 'attack_technique' element is required."
return
}
$AttackTechnique = $null
if ($ParsedYaml['attack_technique'].Count -gt 1) {
# An array of attack techniques are supported.
foreach ($Technique in $ParsedYaml['attack_technique']) {
if ("$Technique" -notmatch '^(?-i:T\d{4}(\.\d{3}){0,1})$') {
Write-Warning "$ErrorStringPrefix Attack technique: $Technique. Each attack technique should start with the letter 'T' followed by a four digit number."
}
[String[]] $AttackTechnique = $ParsedYaml['attack_technique']
}
}
else {
if ((-not "$($ParsedYaml['attack_technique'])".StartsWith('T'))) {
# If the attack technique is a single entry, validate that it starts with the letter T.
Write-Warning "$ErrorStringPrefix Attack technique: $($ParsedYaml['attack_technique']). Attack techniques should start with the letter T."
}
[String] $AttackTechnique = $ParsedYaml['attack_technique']
}
$AtomicInstance.attack_technique = $AttackTechnique
if (-not $ParsedYaml.ContainsKey('display_name')) {
Write-Error "$ErrorStringPrefix 'display_name' element is required."
return
}
if (-not ($ParsedYaml['display_name'] -is [String])) {
Write-Error "$ErrorStringPrefix 'display_name' must be a string."
return
}
$AtomicInstance.display_name = $ParsedYaml['display_name']
if (-not $ParsedYaml.ContainsKey('atomic_tests')) {
Write-Error "$ErrorStringPrefix 'atomic_tests' element is required."
return
}
if (-not ($ParsedYaml['atomic_tests'] -is [System.Collections.Generic.List`1[Object]])) {
Write-Error "$ErrorStringPrefix 'atomic_tests' element must be an array."
return
}
$AtomicTests = [AtomicTest[]]::new($ParsedYaml['atomic_tests'].Count)
if (-not $ParsedYaml['atomic_tests'].Count) {
Write-Error "$ErrorStringPrefix 'atomic_tests' element is empty - you have no tests."
return
}
for ($i = 0; $i -lt $ParsedYaml['atomic_tests'].Count; $i++) {
$AtomicTest = $ParsedYaml['atomic_tests'][$i]
$AtomicTestInstance = [AtomicTest]::new()
$StringsWithPotentialInputArgs = New-Object -TypeName 'System.Collections.Generic.List`1[String]'
if (-not $AtomicTest.ContainsKey('name')) {
Write-Error "$ErrorStringPrefix 'atomic_tests[$i].name' element is required."
return
}
if (-not ($AtomicTest['name'] -is [String])) {
Write-Error "$ErrorStringPrefix 'atomic_tests[$i].name' element must be a string."
return
}
$AtomicTestInstance.name = $AtomicTest['name']
$AtomicTestInstance.auto_generated_guid = $AtomicTest['auto_generated_guid']
if (-not $AtomicTest.ContainsKey('description')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description' element is required."
return
}
if (-not ($AtomicTest['description'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description' element must be a string."
return
}
$AtomicTestInstance.description = $AtomicTest['description']
if (-not $AtomicTest.ContainsKey('supported_platforms')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].supported_platforms' element is required."
return
}
if (-not ($AtomicTest['supported_platforms'] -is [System.Collections.Generic.List`1[Object]])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].supported_platforms' element must be an array."
return
}
foreach ($SupportedPlatform in $AtomicTest['supported_platforms']) {
if ($ValidSupportedPlatforms -cnotcontains $SupportedPlatform) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].supported_platforms': '$SupportedPlatform' must be one of the following: $($ValidSupportedPlatforms -join ', ')."
return
}
}
$AtomicTestInstance.supported_platforms = $AtomicTest['supported_platforms']
$Dependencies = $null
if ($AtomicTest['dependencies'].Count) {
$Dependencies = [AtomicDependency[]]::new($AtomicTest['dependencies'].Count)
$j = 0
# dependencies are optional and there can be multiple
foreach ($Dependency in $AtomicTest['dependencies']) {
$DependencyInstance = [AtomicDependency]::new()
if (-not $Dependency.ContainsKey('description')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].description' element is required."
return
}
if (-not ($Dependency['description'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].description' element must be a string."
return
}
$DependencyInstance.description = $Dependency['description']
$StringsWithPotentialInputArgs.Add($Dependency['description'])
if (-not $Dependency.ContainsKey('prereq_command')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].prereq_command' element is required."
return
}
if (-not ($Dependency['prereq_command'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].prereq_command' element must be a string."
return
}
$DependencyInstance.prereq_command = $Dependency['prereq_command']
$StringsWithPotentialInputArgs.Add($Dependency['prereq_command'])
if (-not $Dependency.ContainsKey('get_prereq_command')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].get_prereq_command' element is required."
return
}
if (-not ($Dependency['get_prereq_command'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependencies[$j].get_prereq_command' element must be a string."
return
}
$DependencyInstance.get_prereq_command = $Dependency['get_prereq_command']
$StringsWithPotentialInputArgs.Add($Dependency['get_prereq_command'])
$Dependencies[$j] = $DependencyInstance
$j++
}
$AtomicTestInstance.dependencies = $Dependencies
}
if ($AtomicTest.ContainsKey('dependency_executor_name')) {
if ($ValidExecutorTypes -notcontains $AtomicTest['dependency_executor_name']) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].dependency_executor_name': '$($AtomicTest['dependency_executor_name'])' must be one of the following: $($ValidExecutorTypes -join ', ')."
return
}
if ($null -eq $AtomicTestInstance.Dependencies) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] If 'atomic_tests[$i].dependency_executor_name' is defined, there must be at least one dependency defined."
}
$AtomicTestInstance.dependency_executor_name = $AtomicTest['dependency_executor_name']
}
$InputArguments = $null
# input_arguments is optional
if ($AtomicTest.ContainsKey('input_arguments')) {
if (-not ($AtomicTest['input_arguments'] -is [Hashtable])) {
$AtomicTest['input_arguments'].GetType().FullName
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments' must be a hashtable."
return
}
if (-not ($AtomicTest['input_arguments'].Count)) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments' must have at least one entry."
return
}
$InputArguments = @{}
$j = 0
foreach ($InputArgName in $AtomicTest['input_arguments'].Keys) {
$InputArgument = [AtomicInputArgument]::new()
if (-not $AtomicTest['input_arguments'][$InputArgName].ContainsKey('description')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].description' element is required."
return
}
if (-not ($AtomicTest['input_arguments'][$InputArgName]['description'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].description' element must be a string."
return
}
$InputArgument.description = $AtomicTest['input_arguments'][$InputArgName]['description']
if (-not $AtomicTest['input_arguments'][$InputArgName].ContainsKey('type')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].type' element is required."
return
}
if ($ValidInputArgTypes -notcontains $AtomicTest['input_arguments'][$InputArgName]['type']) {
Write-Warning "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].type': '$($AtomicTest['input_arguments'][$InputArgName]['type'])' should be one of the following: $($ValidInputArgTypes -join ', ')"
}
$InputArgument.type = $AtomicTest['input_arguments'][$InputArgName]['type']
if (-not $AtomicTest['input_arguments'][$InputArgName].ContainsKey('default')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].input_arguments['$InputArgName'].default' element is required."
return
}
$InputArgument.default = $AtomicTest['input_arguments'][$InputArgName]['default']
$InputArguments[$InputArgName] = $InputArgument
$j++
}
}
$AtomicTestInstance.input_arguments = $InputArguments
if (-not $AtomicTest.ContainsKey('executor')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor' element is required."
return
}
if (-not ($AtomicTest['executor'] -is [Hashtable])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor' element must be a hashtable."
return
}
if (-not $AtomicTest['executor'].ContainsKey('name')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.name' element is required."
return
}
if (-not ($AtomicTest['executor']['name'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description.name' element must be a string."
return
}
if ($AtomicTest['executor']['name'] -notmatch '^(?-i:[a-z_]+)$') {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description.name' element must be lowercased and underscored."
return
}
if ($ValidExecutorTypes -notcontains $AtomicTest['executor']['name']) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].description.name': '$($AtomicTest['executor']['name'])' must be one of the following: $($ValidExecutorTypes -join ', ')"
return
}
if ($AtomicTest['executor']['name'] -eq 'manual') {
if (-not $AtomicTest['executor'].ContainsKey('steps')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.steps' element is required when the 'manual' executor is used."
return
}
if (-not ($AtomicTest['executor']['steps'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.steps' element must be a string."
return
}
$ExecutorInstance = [AtomicExecutorManual]::new()
$ExecutorInstance.steps = $AtomicTest['executor']['steps']
$StringsWithPotentialInputArgs.Add($AtomicTest['executor']['steps'])
}
else {
if (-not $AtomicTest['executor'].ContainsKey('command')) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.command' element is required when the '$($ValidExecutorTypes -join ', ')' executors are used."
return
}
if (-not ($AtomicTest['executor']['command'] -is [String])) {
Write-Error "$ErrorStringPrefix[Atomic test name: $($AtomicTestInstance.name)] 'atomic_tests[$i].executor.command' element must be a string."
8aa15ef8-8041-48ae-b1ee-b542036e9760C:\AtomicRedTeam\invoke-atomicredteam\Public\Get-AtomicTechnique.ps1
410615103150x0708453Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708452Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708451Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708450Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708449Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local3064d909-08ec-4728-a9aa-6617b06699762b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708448Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11#requires -Version 5.0
# execute amsi bypass if configured to use one
if([bool]$artConfig.absb -and ($artConfig.OS -eq "windows")){
$artConfig.absb.Invoke()
}
#Get public and private function definition files.
$Public = @( Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -Recurse -ErrorAction SilentlyContinue )
$Private = @( Get-ChildItem -Path $PSScriptRoot\Private\*.ps1 -Recurse -Exclude "AtomicClassSchema.ps1" -ErrorAction SilentlyContinue )
# Make sure the Atomic Class Schema is available first (a workaround so PSv5.0 doesn't give errors)
. "$PSScriptRoot\Private\AtomicClassSchema.ps1"
#Dot source the files
Foreach ($import in @($Public + $Private)) {
Try {
. $import.fullname
}
Catch {
Write-Error -Message "Failed to import function $($import.fullname): $_"
}
}
3064d909-08ec-4728-a9aa-6617b0669976C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1
410615103150x0708447Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local66ebeb04-ccc6-4b1c-b53d-12c8db52d46d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708446Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local66ebeb04-ccc6-4b1c-b53d-12c8db52d46d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708445Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) {
if ($isWindows -and -not [System.Diagnostics.EventLog]::Exists('Atomic Red Team')) {
New-EventLog -Source "Applications and Services Logs" -LogName "Atomic Red Team"
}
}
function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) {
$timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
$timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
$ipAddress = Get-PreferredIPAddress $isWindows
$msg = [PSCustomObject][ordered]@{
"Execution Time (UTC)" = $timeUTC
"Execution Time (Local)" = $timeLocal
"Technique" = $technique
"Test Number" = $testNum
"Test Name" = $testName
"Hostname" = $targetHostname
"IP Address" = $ipAddress
"Username" = $targetUser
"GUID" = $testGuid
"Tag" = "atomicrunner"
"CustomTag" = $artConfig.CustomTag
"ProcessId" = $res.ProcessId
"ExitCode" = $res.ExitCode
}
Write-EventLog -Source "Applications and Services Logs" -LogName "Atomic Red Team" -EventID 3001 -EntryType Information -Message $msg -Category 1 -RawData 10, 20
}
function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) {
}
66ebeb04-ccc6-4b1c-b53d-12c8db52d46dC:\AtomicRedTeam\invoke-atomicredteam\Public\WinEvent-ExecutionLogger.psm1
410615103150x0708444Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local016504b4-0d0c-455a-a9e9-275315b53e042b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708443Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local016504b4-0d0c-455a-a9e9-275315b53e042b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708442Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) {
}
function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) {
$timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
$timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
$ipAddress = Get-PreferredIPAddress $isWindows
$msg = [PSCustomObject][ordered]@{
"Execution Time (UTC)" = $timeUTC
"Execution Time (Local)" = $timeLocal
"Technique" = $technique
"Test Number" = $testNum
"Test Name" = $testName
"Hostname" = $targetHostname
"IP Address" = $ipAddress
"Username" = $targetUser
"GUID" = $testGuid
"Tag" = "atomicrunner"
"CustomTag" = $artConfig.CustomTag
"ProcessId" = $res.ProcessId
"ExitCode" = $res.ExitCode
}
# send syslog message if a syslog server is defined in Public/config.ps1
if ([bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort) {
$jsonMsg = $msg | ConvertTo-Json -Compress
Send-SyslogMessage -Server $artConfig.syslogServer -Port $artConfig.syslogPort -Message $jsonMsg -Severity "Informational" -Facility "daemon" -Transport $artConfig.syslogProtocol
}
}
function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) {
}
016504b4-0d0c-455a-a9e9-275315b53e04C:\AtomicRedTeam\invoke-atomicredteam\Public\Syslog-ExecutionLogger.psm1
410615103150x0708441Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6114c374-6731-41e2-a4fc-e9b38f2053b22b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708440Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6114c374-6731-41e2-a4fc-e9b38f2053b22b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708439Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Attire-ExecutionLogger.psm1
# Copyright 2023 Security Risk Advisors
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€),
# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
$script:attireLog = [PSCustomObject]@{
'attire-version' = '1.1'
'execution-data' = ''
'procedures' = @()
}
function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) {
$ipAddress = Get-PreferredIPAddress $isWindows
if ($targetUser -isnot [string]) {
if ([bool]($targetUser.PSobject.Properties.name -match "^value$")) {
$targetUser = $targetUser.value
}
else {
$targetUser = $targetUser.ToString()
}
}
if ($targetHostname -isnot [string]) {
if ([bool]($targetHostname.PSobject.Properties.name -match "^value$")) {
$targetHostname = $targetHostname.value
}
else {
$targetHostname = $targetHostname.ToString()
}
}
$target = [PSCustomObject]@{
user = $targetUser
host = $targetHostname
ip = $ipAddress
path = $Env:PATH
}
$guid = New-Guid
$bytes = [System.Text.Encoding]::UTF8.GetBytes($guid.Guid)
$executionId = [Convert]::ToBase64String($bytes)
$executionCategory = [PSCustomObject]@{
'name' = "Atomic Red Team"
'abbreviation' = "ART"
}
$executionData = [PSCustomObject]@{
'execution-source' = "Invoke-Atomicredteam"
'execution-id' = $executionId
'execution-category' = $executionCategory
'execution-command' = $commandLine
target = $target
'time-generated' = ""
}
$script:attireLog.'execution-data' = $executionData
}
function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) {
$startTime = (Get-Date($startTime).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z').ToString()
$stopTime = (Get-Date($stopTime).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z').ToString()
$procedureId = [PSCustomObject]@{
type = "guid"
id = $testGuid
}
$step = [PSCustomObject]@{
'order' = 1
'time-start' = $startTime
'time-stop' = $stopTime
'executor' = $testExecutor
'command' = $command
'output' = @()
}
$stdOutContents = $res.StandardOutput
if (($stdOutContents -isnot [string]) -and ($null -ne $stdOutContents)) {
$stdOutContents = $stdOutContents.ToString()
}
$outputStdConsole = [PSCustomObject]@{
content = $stdOutContents
level = "STDOUT"
type = "console"
}
$stdErrContents = $res.ErrorOutput
if (($stdErrContents -isnot [string]) -and ($null -ne $stdErrContents)) {
$stdErrContents = $stdErrContents.ToString()
}
$outputErrConsole = [PSCustomObject]@{
content = $stdErrContents
level = "STDERR"
type = "console"
}
[bool] $foundOutput = $false
if ($res.StandardOutput.length -gt 0) {
$foundOutput = $true
$step.output += $outputStdConsole
}
if ($res.ErrorOutput.length -gt 0) {
$foundOutput = $true
$step.output += $outputErrConsole
}
if (!$foundOutput) {
$emptyOutput = [PSCustomObject]@{
content = ""
level = "STDOUT"
type = "console"
}
$step.output += $emptyOutput
}
$procedure = [PSCustomObject]@{
'mitre-technique-id' = $technique
'procedure-name' = $testName
'procedure-id' = $procedureId
'procedure-description' = $testDescription
order = $testNum
steps = @()
}
$procedure.steps += $step
$script:attireLog.procedures += $procedure
}
function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) {
$script:attireLog.'execution-data'.'time-generated' = (Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z')
#$script:attireLog | Export-Csv -Path "attireLogObject.csv"
$content = ($script:attireLog | ConvertTo-Json -Depth 12)
#$Utf8NoBom = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines((Resolve-NonexistantPath($logPath)), $content)
#Out-File -FilePath $logPath -InputObject ($script:attireLog | ConvertTo-Json -Depth 12) -Append -Encoding ASCII
$script:attireLog = [PSCustomObject]@{
'attire-version' = '1.1'
'execution-data' = ''
procedures = @()
}
}
function Resolve-NonexistantPath($File) {
$Path = Resolve-Path $File -ErrorAction SilentlyContinue -ErrorVariable error
if (-not($Path)) {
$Path = $error[0].TargetObject
}
return $Path
}
6114c374-6731-41e2-a4fc-e9b38f2053b2C:\AtomicRedTeam\invoke-atomicredteam\Public\Attire-ExecutionLogger.psm1
410615103150x0708438Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local85871253-d20c-43d2-b56d-5aa46fe3d83c2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708437Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local85871253-d20c-43d2-b56d-5aa46fe3d83c2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708436Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $commandLine, $isWindows) {
}
function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) {
if (!(Test-Path $logPath)) {
New-Item $logPath -Force -ItemType File | Out-Null
}
$ipAddress = Get-PreferredIPAddress $isWindows
$timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
$timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
$msg = [PSCustomObject][ordered]@{
"Execution Time (UTC)" = $timeUTC
"Execution Time (Local)" = $timeLocal
"Technique" = $technique
"Test Number" = $testNum
"Test Name" = $testName
"Hostname" = $targetHostname
"IP Address" = $ipAddress
"Username" = $targetUser
"GUID" = $testGuid
"ProcessId" = $res.ProcessId
"ExitCode" = $res.ExitCode
}
$msg | Export-Csv -Path $LogPath -NoTypeInformation -Append
}
function Stop-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser, $isWindows) {
}
85871253-d20c-43d2-b56d-5aa46fe3d83cC:\AtomicRedTeam\invoke-atomicredteam\Public\Default-ExecutionLogger.psm1
410615103150x0708435Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708434Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local13a76087-a21b-4698-bf96-a8ddc5a8d4d52b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708433Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11
$artConfig = [PSCustomObject]@{
# [optional] These two configs are calculated programatically, you probably don't need to change them
basehostname = $((hostname | Select-String -Pattern "(.*?)(-[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})?$").Matches.Groups[1].value)
OS = $( if ($IsLinux) { "linux" } elseif ($IsMacOS) { "macos" } else { "windows" })
# [optional(if using default install paths)] Paths to your Atomic Red Team "atomics" folder and your "invoke-atomicredteam" folder
PathToInvokeFolder = Join-Path $( if ($IsLinux -or $IsMacOS) { "~" } else { "C:" }) "/AtomicRedTeam/invoke-atomicredteam" # this is the default install path so you probably don't need to change this
PathToPublicAtomicsFolder = Join-Path $( if ($IsLinux -or $IsMacOS) { "~" } else { "C:" }) "AtomicRedTeam/atomics" # this is the default install path so you probably don't need to change this
PathToPrivateAtomicsFolder = Join-Path $( if ($IsLinux -or $IsMacOS) { "~" } else { "C:" }) "PrivateAtomics/atomics" # if you aren't providing your own private atomics that are custom written by you, just leave this as is
# [ Optional ] The user that will be running each atomic test
user = $( if ($IsLinux -or $IsMacOS) { $env:USER } else { "$env:USERDOMAIN\$env:USERNAME" }) # example "corp\atomicrunner"
# [optional] the path where you want the folder created that houses the logs and the runner schedule. Defaults to users home directory
basePath = $( if (!$IsLinux -and !$IsMacOS) { $env:USERPROFILE } else { $env:HOME }) # example "C:\Users\atomicrunner"
# [optional]
scheduleTimeSpan = New-TimeSpan -Days 7 # the time in which all tests on the schedule should complete
kickOffDelay = New-TimeSpan -Minutes 0 # an additional delay before Invoke-KickoffAtomicRunner calls Invoke-AtomicRunner
scheduleFileName = "AtomicRunnerSchedule.csv"
# [optional] If you need to use a group managed service account in order to rename the computer, enter it here
gmsaAccount = $null
# [optional] Logging Module, uses Syslog-ExecutionLogger if left blank and the syslogServer and syslogPort are set, otherwise it uses the Default-ExecutionLogger
LoggingModule = ''
# [optional] Syslog configuration, default execution logs will be sent to this server:port
syslogServer = '' # set to empty string '' if you don't want to log atomic execution details to a syslog server (don't includle http(s):\\)
syslogPort = 514
syslogProtocol = 'UDP' # options are UDP, TCP, TCPwithTLS
verbose = $true; # set to true for more log output
# [optional] logfile filename configs
logFolder = "AtomicRunner-Logs"
timeLocal = (Get-Date(get-date) -uformat "%Y-%m-%d").ToString()
# amsi bypass script block (applies to Windows only)
absb = $null
}
# If you create a file called privateConfig.ps1 in the same directory as you installed Invoke-AtomicRedTeam you can overwrite any of these settings with your custom values
$root = Split-Path (Split-Path $PSScriptRoot -Parent) -Parent
$pathToPrivateConfig = Join-Path $root "privateConfig.ps1"
if (Test-Path ($pathToPrivateConfig)) {
if ($IsLinux -or $IsMacOS) {
chmod +x $pathToPrivateConfig
}
& ($pathToPrivateConfig)
}
#####################################################################################
# All of the configs below are calculated using the script block in the "Value" field.
# This way, when you change the 'basePath' everything else is updated.
# You should probably leave all of the stuff below alone.
#####################################################################################
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "runnerFolder"
Value = { Join-Path $artConfig.basePath "AtomicRunner" }
}
Add-Member @scriptParam
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "atomicLogsPath"
Value = { Join-Path $artConfig.basePath $artConfig.logFolder }
}
Add-Member @scriptParam
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "scheduleFile"
Value = { Join-Path $artConfig.runnerFolder $artConfig.scheduleFileName }
}
Add-Member @scriptParam
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "credFile"
Value = { Join-Path $artConfig.runnerFolder "psc_$($artConfig.basehostname).txt" }
}
Add-Member @scriptParam
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "execLogPath"
Value = { Join-Path $artConfig.atomicLogsPath "$($artConfig.timeLocal)`_$($artConfig.basehostname)-ExecLog.csv" }
}
Add-Member @scriptParam
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "stopFile"
Value = { Join-Path $artConfig.runnerFolder "stop.txt" }
}
Add-Member @scriptParam
$scriptParam = @{
MemberType = "ScriptProperty"
InputObject = $artConfig
Name = "logFile"
Value = { Join-Path $artConfig.atomicLogsPath "log-$($artConfig.basehostname).txt" }
}
Add-Member @scriptParam
13a76087-a21b-4698-bf96-a8ddc5a8d4d5C:\AtomicRedTeam\invoke-atomicredteam\Public\config.ps1
410615103150x0708432Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708431Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local57293e21-c8d3-413e-8ca5-bcc9422de5de2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708430Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11class AtomicDependency {
[String] $description
[String] $prereq_command
[String] $get_prereq_command
}
class AtomicInputArgument {
[String] $description
[String] $type
[String] $default
}
class AtomicExecutorBase {
[String] $name
[Bool] $elevation_required
# Implemented to facilitate improved PS object display
[String] ToString() {
return $this.Name
}
}
class AtomicExecutorDefault : AtomicExecutorBase {
[String] $command
[String] $cleanup_command
}
class AtomicExecutorManual : AtomicExecutorBase {
[String] $steps
[String] $cleanup_command
}
class AtomicTest {
[String] $name
[String] $auto_generated_guid
[String] $description
[String[]] $supported_platforms
# I wish this didn't have to be a hashtable but I don't
# want to change the schema and introduce a breaking change.
[Hashtable] $input_arguments
[String] $dependency_executor_name
[AtomicDependency[]] $dependencies
[AtomicExecutorBase] $executor
# Implemented to facilitate improved PS object display
[String] ToString() {
return $this.name
}
}
class AtomicTechnique {
[String[]] $attack_technique
[String] $display_name
[AtomicTest[]] $atomic_tests
}
57293e21-c8d3-413e-8ca5-bcc9422de5deC:\AtomicRedTeam\invoke-atomicredteam\Private\AtomicClassSchema.ps1
410615103150x0708429Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb4ecc18a-3f58-457d-9476-f738efb6af422b535b4c-a403-4565-9d75-b1fc8c18a9ac
410314106200x0708428Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.17763.5328
Host ID = 399c885b-5299-4104-9115-f2730c038a52
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.17763.5328
Runspace ID = 2b535b4c-a403-4565-9d75-b1fc8c18a9ac
Pipeline ID = 4
Command Name = Add-Type
Command Type = Cmdlet
Script Name = C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psm1
Command Path =
Sequence Number = 16
User = ATTACKRANGE\Administrator
Connected User =
Shell ID = Microsoft.PowerShell
CommandInvocation(Add-Type): "Add-Type"
ParameterBinding(Add-Type): name="TypeDefinition"; value="using System;
using System.Text.RegularExpressions;
using YamlDotNet;
using YamlDotNet.Core;
using YamlDotNet.Serialization;
using YamlDotNet.Serialization.EventEmitters;
public class StringQuotingEmitter: ChainedEventEmitter {
// Patterns from https://yaml.org/spec/1.2/spec.html#id2804356
private static Regex quotedRegex = new Regex(@"^(\~|null|true|false|on|off|yes|no|y|n|[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?|[-+]?(\.inf))?$", RegexOptions.Compiled | RegexOptions.IgnoreCase);
public StringQuotingEmitter(IEventEmitter next): base(next) {}
public override void Emit(ScalarEventInfo eventInfo, IEmitter emitter) {
var typeCode = eventInfo.Source.Value != null
? Type.GetTypeCode(eventInfo.Source.Type)
: TypeCode.Empty;
switch (typeCode) {
case TypeCode.Char:
if (Char.IsDigit((char)eventInfo.Source.Value)) {
eventInfo.Style = ScalarStyle.DoubleQuoted;
}
break;
case TypeCode.String:
var val = eventInfo.Source.Value.ToString();
if (quotedRegex.IsMatch(val))
{
eventInfo.Style = ScalarStyle.DoubleQuoted;
} else if (val.IndexOf('\n') > -1) {
eventInfo.Style = ScalarStyle.Literal;
}
break;
}
base.Emit(eventInfo, emitter);
}
public static SerializerBuilder Add(SerializerBuilder builder) {
return builder.WithEventEmitter(next => new StringQuotingEmitter(next));
}
}"
ParameterBinding(Add-Type): name="ReferencedAssemblies"; value="C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\lib\net45\YamlDotNet.dll, C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll"
ParameterBinding(Add-Type): name="Language"; value="CSharp"
410615103150x0708427Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local150366b0-e0b6-40dc-b951-f119ead5ef152b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708426Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local150366b0-e0b6-40dc-b951-f119ead5ef152b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708425Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc41933e3-59a3-47e6-ac40-59ab94dec44a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708424Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localc41933e3-59a3-47e6-ac40-59ab94dec44a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708423Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708422Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708421Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708420Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708419Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb4ecc18a-3f58-457d-9476-f738efb6af422b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708418Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Copyright 2016 Cloudbase Solutions Srl
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
enum SerializationOptions {
None = 0
Roundtrip = 1
DisableAliases = 2
EmitDefaults = 4
JsonCompatible = 8
DefaultToStaticType = 16
WithIndentedSequences = 32
}
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
$assemblies = Join-Path $here "Load-Assemblies.ps1"
$infinityRegex = [regex]::new('^[-+]?(\.inf|\.Inf|\.INF)$', "Compiled, CultureInvariant");
if (Test-Path $assemblies) {
. $here\Load-Assemblies.ps1
}
function Get-YamlDocuments {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[string]$Yaml,
[switch]$UseMergingParser=$false
)
PROCESS {
$stringReader = new-object System.IO.StringReader($Yaml)
$parser = New-Object "YamlDotNet.Core.Parser" $stringReader
if($UseMergingParser) {
$parser = New-Object "YamlDotNet.Core.MergingParser" $parser
}
$yamlStream = New-Object "YamlDotNet.RepresentationModel.YamlStream"
$yamlStream.Load([YamlDotNet.Core.IParser] $parser)
$stringReader.Close()
return $yamlStream
}
}
function Convert-ValueToProperType {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[System.Object]$Node
)
PROCESS {
if (!($Node.Value -is [string])) {
return $Node
}
if ([string]::IsNullOrEmpty($Node.Tag) -eq $false) {
switch($Node.Tag) {
"tag:yaml.org,2002:str" {
return $Node.Value
}
"tag:yaml.org,2002:null" {
return $null
}
"tag:yaml.org,2002:bool" {
$parsedValue = $false
if (![boolean]::TryParse($Node.Value, [ref]$parsedValue)) {
Throw ("failed to parse scalar {0} as boolean" -f $Node)
}
return $parsedValue
}
"tag:yaml.org,2002:int" {
$parsedValue = 0
if ($node.Value.Length -gt 2) {
switch ($node.Value.Substring(0, 2)) {
"0o" {
$parsedValue = [Convert]::ToInt64($Node.Value.Substring(2), 8)
}
"0x" {
$parsedValue = [Convert]::ToInt64($Node.Value.Substring(2), 16)
}
default {
if (![long]::TryParse($Node.Value, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)) {
Throw ("failed to parse scalar {0} as long" -f $Node)
}
}
}
} else {
if (![long]::TryParse($Node.Value, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)) {
Throw ("failed to parse scalar {0} as long" -f $Node)
}
}
return $parsedValue
}
"tag:yaml.org,2002:float" {
$parsedValue = 0.0
if ($infinityRegex.Matches($Node.Value)) {
$prefix = $Node.Value.Substring(0, 1)
switch ($prefix) {
"-" {
return [double]::NegativeInfinity
}
default {
# Prefix is either missing or is a +
return [double]::PositiveInfinity
}
}
}
if (![double]::TryParse($Node.Value, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)) {
Throw ("failed to parse scalar {0} as double" -f $Node)
}
return $parsedValue
}
"tag:yaml.org,2002:timestamp" {
# From the YAML spec: http://yaml.org/type/timestamp.html
[DateTime]$parsedValue = [DateTime]::MinValue
$ts = [DateTime]::SpecifyKind($Node.Value, [System.DateTimeKind]::Utc)
$tss = $ts.ToString("o")
if(![datetime]::TryParse($tss, $null, [System.Globalization.DateTimeStyles]::RoundtripKind, [ref] $parsedValue)) {
Throw ("failed to parse scalar {0} as DateTime" -f $Node)
}
return $parsedValue
}
}
}
if ($Node.Style -eq 'Plain')
{
$types = @([int], [long], [double], [boolean], [decimal])
foreach($i in $types){
$parsedValue = New-Object -TypeName $i.FullName
if ($i.IsAssignableFrom([boolean])){
$result = $i::TryParse($Node,[ref]$parsedValue)
} else {
$result = $i::TryParse($Node, [Globalization.NumberStyles]::Any, [Globalization.CultureInfo]::InvariantCulture, [ref]$parsedValue)
}
if( $result ) {
return $parsedValue
}
}
}
if ($Node.Style -eq 'Plain' -and $Node.Value -in '','~','null','Null','NULL') {
return $null
}
return $Node.Value
}
}
function Convert-YamlMappingToHashtable {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[YamlDotNet.RepresentationModel.YamlMappingNode]$Node,
[switch] $Ordered
)
PROCESS {
if ($Ordered) { $ret = [ordered]@{} } else { $ret = @{} }
foreach($i in $Node.Children.Keys) {
$ret[$i.Value] = Convert-YamlDocumentToPSObject $Node.Children[$i] -Ordered:$Ordered
}
return $ret
}
}
function Convert-YamlSequenceToArray {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[YamlDotNet.RepresentationModel.YamlSequenceNode]$Node,
[switch]$Ordered
)
PROCESS {
$ret = [System.Collections.Generic.List[object]](New-Object "System.Collections.Generic.List[object]")
foreach($i in $Node.Children){
$ret.Add((Convert-YamlDocumentToPSObject $i -Ordered:$Ordered))
}
return ,$ret
}
}
function Convert-YamlDocumentToPSObject {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[System.Object]$Node,
[switch]$Ordered
)
PROCESS {
switch($Node.GetType().FullName){
"YamlDotNet.RepresentationModel.YamlMappingNode"{
return Convert-YamlMappingToHashtable $Node -Ordered:$Ordered
}
"YamlDotNet.RepresentationModel.YamlSequenceNode" {
return Convert-YamlSequenceToArray $Node -Ordered:$Ordered
}
"YamlDotNet.RepresentationModel.YamlScalarNode" {
return (Convert-ValueToProperType $Node)
}
}
}
}
function Convert-HashtableToDictionary {
Param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[hashtable]$Data
)
foreach($i in $($data.Keys)) {
$Data[$i] = Convert-PSObjectToGenericObject $Data[$i]
}
return $Data
}
function Convert-OrderedHashtableToDictionary {
Param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[System.Collections.Specialized.OrderedDictionary] $Data
)
foreach ($i in $($data.Keys)) {
$Data[$i] = Convert-PSObjectToGenericObject $Data[$i]
}
return $Data
}
function Convert-ListToGenericList {
Param(
[Parameter(Mandatory=$false,ValueFromPipeline=$true)]
[array]$Data=@()
)
$ret = [System.Collections.Generic.List[object]](New-Object "System.Collections.Generic.List[object]")
for($i=0; $i -lt $Data.Count; $i++) {
$ret.Add((Convert-PSObjectToGenericObject $Data[$i]))
}
return ,$ret
}
function Convert-PSCustomObjectToDictionary {
Param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[PSCustomObject]$Data
)
$ret = [System.Collections.Generic.Dictionary[string,object]](New-Object 'System.Collections.Generic.Dictionary[string,object]')
foreach ($i in $Data.psobject.properties) {
$ret[$i.Name] = Convert-PSObjectToGenericObject $i.Value
}
return $ret
}
function Convert-PSObjectToGenericObject {
Param(
[Parameter(Mandatory=$false,ValueFromPipeline=$true)]
[System.Object]$Data
)
if ($null -eq $data) {
return $data
}
$dataType = $data.GetType()
if ($data -isnot [System.Object]) {
return $data -as $dataType
}
if ($dataType.FullName -eq "System.Management.Automation.PSCustomObject") {
return Convert-PSCustomObjectToDictionary $data
} elseif (([System.Collections.Specialized.OrderedDictionary].IsAssignableFrom($dataType))){
return Convert-OrderedHashtableToDictionary $data
} elseif (([System.Collections.IDictionary].IsAssignableFrom($dataType))){
return Convert-HashtableToDictionary $data
} elseif (([System.Collections.IList].IsAssignableFrom($dataType))) {
return Convert-ListToGenericList $data
}
return $data -as $dataType
}
function ConvertFrom-Yaml {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false, ValueFromPipeline=$true, Position=0)]
[string]$Yaml,
[switch]$AllDocuments=$false,
[switch]$Ordered,
[switch]$UseMergingParser=$false
)
BEGIN {
$d = ""
}
PROCESS {
if($Yaml -is [string]) {
$d += $Yaml + "`n"
}
}
END {
if($d -eq ""){
return
}
$documents = Get-YamlDocuments -Yaml $d -UseMergingParser:$UseMergingParser
if (!$documents.Count) {
return
}
if($documents.Count -eq 1){
return Convert-YamlDocumentToPSObject $documents[0].RootNode -Ordered:$Ordered
}
if(!$AllDocuments) {
return Convert-YamlDocumentToPSObject $documents[0].RootNode -Ordered:$Ordered
}
$ret = @()
foreach($i in $documents) {
$ret += Convert-YamlDocumentToPSObject $i.RootNode -Ordered:$Ordered
}
return $ret
}
}
$stringQuotingEmitterSource = @"
using System;
using System.Text.RegularExpressions;
using YamlDotNet;
using YamlDotNet.Core;
using YamlDotNet.Serialization;
using YamlDotNet.Serialization.EventEmitters;
public class StringQuotingEmitter: ChainedEventEmitter {
// Patterns from https://yaml.org/spec/1.2/spec.html#id2804356
private static Regex quotedRegex = new Regex(@`"^(\~|null|true|false|on|off|yes|no|y|n|[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?|[-+]?(\.inf))?$`", RegexOptions.Compiled | RegexOptions.IgnoreCase);
public StringQuotingEmitter(IEventEmitter next): base(next) {}
public override void Emit(ScalarEventInfo eventInfo, IEmitter emitter) {
var typeCode = eventInfo.Source.Value != null
? Type.GetTypeCode(eventInfo.Source.Type)
: TypeCode.Empty;
switch (typeCode) {
case TypeCode.Char:
if (Char.IsDigit((char)eventInfo.Source.Value)) {
eventInfo.Style = ScalarStyle.DoubleQuoted;
}
break;
case TypeCode.String:
var val = eventInfo.Source.Value.ToString();
if (quotedRegex.IsMatch(val))
{
eventInfo.Style = ScalarStyle.DoubleQuoted;
} else if (val.IndexOf('\n') > -1) {
eventInfo.Style = ScalarStyle.Literal;
}
break;
}
base.Emit(eventInfo, emitter);
}
public static SerializerBuilder Add(SerializerBuilder builder) {
return builder.WithEventEmitter(next => new StringQuotingEmitter(next));
}
}
"@
if (!([System.Management.Automation.PSTypeName]'StringQuotingEmitter').Type) {
$referenceList = @([YamlDotNet.Serialization.Serializer].Assembly.Location,[Text.RegularExpressions.Regex].Assembly.Location)
if ($PSVersionTable.PSEdition -eq "Core") {
$referenceList += [IO.Directory]::GetFiles([IO.Path]::Combine($PSHOME, 'ref'), 'netstandard.dll', [IO.SearchOption]::TopDirectoryOnly)
Add-Type -TypeDefinition $stringQuotingEmitterSource -ReferencedAssemblies $referenceList -Language CSharp -CompilerOptions "-nowarn:1701"
} else {
Add-Type -TypeDefinition $stringQuotingEmitterSource -ReferencedAssemblies $referenceList -Language CSharp
}
}
function Get-Serializer {
Param(
[Parameter(Mandatory=$true)][SerializationOptions]$Options
)
$builder = New-Object "YamlDotNet.Serialization.SerializerBuilder"
if ($Options.HasFlag([SerializationOptions]::Roundtrip)) {
$builder = $builder.EnsureRoundtrip()
}
if ($Options.HasFlag([SerializationOptions]::DisableAliases)) {
$builder = $builder.DisableAliases()
}
if ($Options.HasFlag([SerializationOptions]::EmitDefaults)) {
$builder = $builder.EmitDefaults()
}
if ($Options.HasFlag([SerializationOptions]::JsonCompatible)) {
$builder = $builder.JsonCompatible()
}
if ($Options.HasFlag([SerializationOptions]::DefaultToStaticType)) {
$builder = $builder.WithTypeResolver((New-Object "YamlDotNet.Serialization.TypeResolvers.StaticTypeResolver"))
}
if ($Options.HasFlag([SerializationOptions]::WithIndentedSequences)) {
$builder = $builder.WithIndentedSequences()
}
$builder = [StringQuotingEmitter]::Add($builder)
return $builder.Build()
}
function ConvertTo-Yaml {
[CmdletBinding(DefaultParameterSetName = 'NoOptions')]
Param(
[Parameter(ValueFromPipeline = $true, Position=0)]
[System.Object]$Data,
[string]$OutFile,
[Parameter(ParameterSetName = 'Options')]
[SerializationOptions]$Options = [SerializationOptions]::Roundtrip,
[Parameter(ParameterSetName = 'NoOptions')]
[switch]$JsonCompatible,
[switch]$KeepArray,
[switch]$Force
)
BEGIN {
$d = [System.Collections.Generic.List[object]](New-Object "System.Collections.Generic.List[object]")
}
PROCESS {
if($data -is [System.Object]) {
$d.Add($data)
}
}
END {
if ($d -eq $null -or $d.Count -eq 0) {
return
}
if ($d.Count -eq 1 -and !($KeepArray)) {
$d = $d[0]
}
$norm = Convert-PSObjectToGenericObject $d
if ($OutFile) {
$parent = Split-Path $OutFile
if (!(Test-Path $parent)) {
Throw "Parent folder for specified path does not exist"
}
if ((Test-Path $OutFile) -and !$Force) {
Throw "Target file already exists. Use -Force to overwrite."
}
$wrt = New-Object "System.IO.StreamWriter" $OutFile
} else {
$wrt = New-Object "System.IO.StringWriter"
}
if ($PSCmdlet.ParameterSetName -eq 'NoOptions') {
$Options = 0
if ($JsonCompatible) {
# No indent options :~(
$Options = [SerializationOptions]::JsonCompatible
}
}
try {
$serializer = Get-Serializer $Options
$serializer.Serialize($wrt, $norm)
}
catch{
$_
}
finally {
$wrt.Close()
}
if ($OutFile) {
return
} else {
return $wrt.ToString()
}
}
}
New-Alias -Name cfy -Value ConvertFrom-Yaml
New-Alias -Name cty -Value ConvertTo-Yaml
Export-ModuleMember -Function ConvertFrom-Yaml,ConvertTo-Yaml -Alias cfy,cty
b4ecc18a-3f58-457d-9476-f738efb6af42C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psm1
410615103150x0708417Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708416Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708415Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf8afa8d1-795a-4ea8-bdb7-b093630e53022b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708414Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf8afa8d1-795a-4ea8-bdb7-b093630e53022b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708413Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Load-Assembly {
$libDir = Join-Path $here "lib"
$assemblies = @{
"core" = Join-Path $libDir "netstandard2.1\YamlDotNet.dll";
"net45" = Join-Path $libDir "net45\YamlDotNet.dll";
"net35" = Join-Path $libDir "net35\YamlDotNet.dll";
}
if ($PSVersionTable.Keys -contains "PSEdition") {
if ($PSVersionTable.PSEdition -eq "Core") {
return [Reflection.Assembly]::LoadFrom($assemblies["core"])
} elseif ($PSVersionTable.PSVersion.Major -ge 4) {
return [Reflection.Assembly]::LoadFrom($assemblies["net45"])
} else {
return [Reflection.Assembly]::LoadFrom($assemblies["net35"])
}
} else { # Powershell 4.0 and lower do not know "PSEdition" yet
return [Reflection.Assembly]::LoadFrom($assemblies["net35"])
}
}f8afa8d1-795a-4ea8-bdb7-b093630e5302C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies.ps1
410515102150x0708412Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localf5be2bf7-34df-49ca-ba95-548ee7b463a92b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708411Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11function Initialize-Assemblies {
$requiredTypes = @(
"Parser", "MergingParser", "YamlStream",
"YamlMappingNode", "YamlSequenceNode",
"YamlScalarNode", "ChainedEventEmitter",
"Serializer", "Deserializer", "SerializerBuilder",
"StaticTypeResolver"
)
$type = "YamlDotNet.Serialization.Serializer" -as [type]
if (!$type) {
return Load-Assembly
}
$yaml = $type.Assembly
foreach ($i in $requiredTypes){
if ($i -notin $yaml.DefinedTypes.Name) {
Throw "YamlDotNet is loaded but missing required types ($i). Older version installed on system?"
}
}
}f5be2bf7-34df-49ca-ba95-548ee7b463a9C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies.ps1
410615103150x0708410Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7366d78d-fe4d-42e2-97a1-6804fc40cd5d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708409Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7366d78d-fe4d-42e2-97a1-6804fc40cd5d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708408Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala3b4d9ad-a88c-4e67-8120-d192c168c5342b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104132150x0708407Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Copyright 2016 Cloudbase Solutions Srl
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
function Load-Assembly {
$libDir = Join-Path $here "lib"
$assemblies = @{
"core" = Join-Path $libDir "netstandard2.1\YamlDotNet.dll";
"net45" = Join-Path $libDir "net45\YamlDotNet.dll";
"net35" = Join-Path $libDir "net35\YamlDotNet.dll";
}
if ($PSVersionTable.Keys -contains "PSEdition") {
if ($PSVersionTable.PSEdition -eq "Core") {
return [Reflection.Assembly]::LoadFrom($assemblies["core"])
} elseif ($PSVersionTable.PSVersion.Major -ge 4) {
return [Reflection.Assembly]::LoadFrom($assemblies["net45"])
} else {
return [Reflection.Assembly]::LoadFrom($assemblies["net35"])
}
} else { # Powershell 4.0 and lower do not know "PSEdition" yet
return [Reflection.Assembly]::LoadFrom($assemblies["net35"])
}
}
function Initialize-Assemblies {
$requiredTypes = @(
"Parser", "MergingParser", "YamlStream",
"YamlMappingNode", "YamlSequenceNode",
"YamlScalarNode", "ChainedEventEmitter",
"Serializer", "Deserializer", "SerializerBuilder",
"StaticTypeResolver"
)
$type = "YamlDotNet.Serialization.Serializer" -as [type]
if (!$type) {
return Load-Assembly
}
$yaml = $type.Assembly
foreach ($i in $requiredTypes){
if ($i -notin $yaml.DefinedTypes.Name) {
Throw "YamlDotNet is loaded but missing required types ($i). Older version installed on system?"
}
}
}
Initialize-Assemblies | Out-Null
a3b4d9ad-a88c-4e67-8120-d192c168c534C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies.ps1
410615103150x0708406Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708405Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708404Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708403Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4f98b29f-7e0f-46bb-8b9c-33d9f3863e2a2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708402Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Copyright 2016 Cloudbase Solutions Srl
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Module manifest for module 'powershell-yaml'
#
# Generated by: Gabriel Adrian Samfira
#
# Generated on: 10/01/2016
#
@{
# Script module or binary module file associated with this manifest.
RootModule = 'powershell-yaml.psm1'
# Version number of this module.
ModuleVersion = '0.4.7'
# ID used to uniquely identify this module
GUID = '6a75a662-7f53-425a-9777-ee61284407da'
# Author of this module
Author = 'Gabriel Adrian Samfira','Alessandro Pilotti'
# Company or vendor of this module
CompanyName = 'Cloudbase Solutions SRL'
# Copyright statement for this module
Copyright = '(c) 2016 Cloudbase Solutions SRL. All rights reserved.'
# Description of the functionality provided by this module
Description = 'Powershell module for serializing and deserializing YAML'
# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = '3.0'
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
ScriptsToProcess = @("Load-Assemblies.ps1")
# Functions to export from this module
FunctionsToExport = "ConvertTo-Yaml","ConvertFrom-Yaml"
AliasesToExport = "cfy","cty"
}
4f98b29f-7e0f-46bb-8b9c-33d9f3863e2aC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psd1
410615103150x0708401Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala37d1ad9-089d-4390-ae02-2a755ed457082b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708400Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala37d1ad9-089d-4390-ae02-2a755ed457082b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708399Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11@{
# Script module or binary module file associated with this manifest.
RootModule = 'Invoke-AtomicRedTeam.psm1'
# Version number of this module.
ModuleVersion = '2.1.0'
# ID used to uniquely identify this module
GUID = '8f492621-18f8-432e-9532-b1d54d3e90bd'
# Author of this module
Author = 'Casey Smith @subTee, Josh Rickard @MSAdministrator, Carrie Roberts @OrOneEqualsOne, Matt Graeber @mattifestation'
# Company or vendor of this module
CompanyName = 'Red Canary, Inc.'
# Copyright statement for this module
Copyright = '(c) 2021 Red Canary. All rights reserved.'
# Description of the functionality provided by this module
Description = 'A PowerShell module that runs Atomic Red Team tests from yaml definition files.'
# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = '5.0'
# Modules that must be imported into the global environment prior to importing this module
RequiredModules = @('powershell-yaml')
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
# AtomicClassSchema.ps1 needs to be present in the caller's scope in order for the built-in classes to surface properly.
ScriptsToProcess = @('Private\AtomicClassSchema.ps1', 'Public\config.ps1')
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
FunctionsToExport = @(
'Invoke-AtomicTest',
'Get-AtomicTechnique',
'New-AtomicTechnique',
'New-AtomicTest',
'New-AtomicTestInputArgument',
'New-AtomicTestDependency',
'Start-AtomicGUI',
'Stop-AtomicGUI',
'Invoke-SetupAtomicRunner',
'Invoke-GenerateNewSchedule',
'Invoke-RefreshExistingSchedule',
'Invoke-AtomicRunner',
'Get-Schedule',
'Invoke-KickoffAtomicRunner',
'Get-PreferredIPAddress'
)
# Variables to export from this module
VariablesToExport = '*'
NestedModules = @(
"Public\Default-ExecutionLogger.psm1",
"Public\Attire-ExecutionLogger.psm1",
"Public\Syslog-ExecutionLogger.psm1",
"Public\WinEvent-ExecutionLogger.psm1"
)
# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
PrivateData = @{
PSData = @{
# Tags applied to this module. These help with module discovery in online galleries.
Tags = @('Security', 'Defense')
# A URL to the license for this module.
LicenseUri = 'https://github.com/redcanaryco/invoke-atomicredteam/blob/master/LICENSE.txt'
# A URL to the main website for this project.
ProjectUri = 'https://github.com/redcanaryco/invoke-atomicredteam'
# A URL to an icon representing this module.
# IconUri = ''
# ReleaseNotes of this module
ReleaseNotes = @'
1.0.2
-----
* Add support for custom execution loggers
1.0.1
-----
* Adding 'powershell-yaml' to RequiredModules in the module manifest
1.0.0
-----
* Initial release for submission to the PowerShell Gallery
'@
} # End of PSData hashtable
} # End of PrivateData hashtable
}
a37d1ad9-089d-4390-ae02-2a755ed45708C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1
410515102150x0708398Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6a19b68d-06ed-49fc-8aec-0f966f79484d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708397Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}6a19b68d-06ed-49fc-8aec-0f966f79484dC:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
410515102150x0708396Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local1ff25d67-532c-4a41-9122-e42c72f7eb882b535b4c-a403-4565-9d75-b1fc8c18a9ac
4104152150x0708395Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11. 'C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'1ff25d67-532c-4a41-9122-e42c72f7eb88
4096214420x0708394Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local
410615103150x0708393Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local02fa9b70-3201-45a0-9832-d3639c437f1c2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708392Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local02fa9b70-3201-45a0-9832-d3639c437f1c2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410615103150x0708391Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb8fd15f7-ff33-46d8-80a8-0c7aa095995d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
410515102150x0708390Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb8fd15f7-ff33-46d8-80a8-0c7aa095995d2b535b4c-a403-4565-9d75-b1fc8c18a9ac
5350414111100x0708389Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local336DefaultAppDomain
4096114410x0708388Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local
4673001305700x8020000000000000276676Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1Security-SeCreateGlobalPrivilege0x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4673001305700x8020000000000000276675Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1Security-SeCreateGlobalPrivilege0x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4688201331200x8020000000000000276674Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x540C:\Windows\System32\conhost.exe%%19360x150\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level
4688201331200x8020000000000000276673Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d10x150C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe%%19360x14b0"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" NULL SID--0x0C:\Windows\explorer.exeMandatory Label\High Mandatory Level
4673001305700x8010000000000000276672Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe
4673001305700x8010000000000000276671Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe
11241100x800000000000000044931Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:00.456{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mheb2ex0.yka.ps12024-02-21 18:02:00.456ATTACKRANGE\Administrator
154100x800000000000000044930Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 18:02:00.010{0b642d80-3a98-65d6-ba02-00000000be02}336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{0b642d80-2a3e-65d6-d192-050000000000}0x592d12HighMD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{0b642d80-2a40-65d6-cc00-00000000be02}5296C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECKATTACKRANGE\Administrator