4104152150x01539563840Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11New-ADGroup -Name 'ESX Admins' -GroupScope Global -GroupCategory Securitya9377d19-43df-48f7-8670-033ead277fbe
410314106200x01539563711Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.17763.4840
Host ID = c4bb2388-e520-4cf2-97a3-7e416bf8820d
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command New-ADGroup -Name 'ESX Admins' -GroupScope Global -GroupCategory Security
Engine Version = 5.1.17763.4840
Runspace ID = 315ad983-e51a-4c7f-8e03-2e66de919654
Pipeline ID = 3
Command Name = Add-Type
Command Type = Cmdlet
Script Name = C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psm1
Command Path =
Sequence Number = 16
User = ATTACKRANGE\administrator
Connected User =
Shell ID = Microsoft.PowerShell
CommandInvocation(Add-Type): "Add-Type"
ParameterBinding(Add-Type): name="TypeDefinition"; value="using System;
using System.Text.RegularExpressions;
using YamlDotNet;
using YamlDotNet.Core;
using YamlDotNet.Serialization;
using YamlDotNet.Serialization.EventEmitters;
public class StringQuotingEmitter: ChainedEventEmitter {
// Patterns from https://yaml.org/spec/1.2/spec.html#id2804356
private static Regex quotedRegex = new Regex(@"^(\~|null|true|false|on|off|yes|no|y|n|[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?|[-+]?(\.inf))?$", RegexOptions.Compiled | RegexOptions.IgnoreCase);
public StringQuotingEmitter(IEventEmitter next): base(next) {}
public override void Emit(ScalarEventInfo eventInfo, IEmitter emitter) {
var typeCode = eventInfo.Source.Value != null
? Type.GetTypeCode(eventInfo.Source.Type)
: TypeCode.Empty;
switch (typeCode) {
case TypeCode.Char:
if (Char.IsDigit((char)eventInfo.Source.Value)) {
eventInfo.Style = ScalarStyle.DoubleQuoted;
}
break;
case TypeCode.String:
var val = eventInfo.Source.Value.ToString();
if (quotedRegex.IsMatch(val))
{
eventInfo.Style = ScalarStyle.DoubleQuoted;
} else if (val.IndexOf('\n') > -1) {
eventInfo.Style = ScalarStyle.Literal;
}
break;
}
base.Emit(eventInfo, emitter);
}
public static SerializerBuilder Add(SerializerBuilder builder) {
return builder.WithEventEmitter(next => new StringQuotingEmitter(next));
}
}"
ParameterBinding(Add-Type): name="ReferencedAssemblies"; value="C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\lib\net45\YamlDotNet.dll, C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll"
ParameterBinding(Add-Type): name="Language"; value="CSharp"
4104152150x01539563649Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11powershell.exe -Command "New-ADGroup -Name 'ESX Admins' -GroupScope Global -GroupCategory Security"7f42c27e-bad8-4b29-981a-f2379313acbd