4104152150x01539563840Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11New-ADGroup -Name 'ESX Admins' -GroupScope Global -GroupCategory Securitya9377d19-43df-48f7-8670-033ead277fbe 410314106200x01539563711Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.4840 Host ID = c4bb2388-e520-4cf2-97a3-7e416bf8820d Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command New-ADGroup -Name 'ESX Admins' -GroupScope Global -GroupCategory Security Engine Version = 5.1.17763.4840 Runspace ID = 315ad983-e51a-4c7f-8e03-2e66de919654 Pipeline ID = 3 Command Name = Add-Type Command Type = Cmdlet Script Name = C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\powershell-yaml.psm1 Command Path = Sequence Number = 16 User = ATTACKRANGE\administrator Connected User = Shell ID = Microsoft.PowerShell CommandInvocation(Add-Type): "Add-Type" ParameterBinding(Add-Type): name="TypeDefinition"; value="using System; using System.Text.RegularExpressions; using YamlDotNet; using YamlDotNet.Core; using YamlDotNet.Serialization; using YamlDotNet.Serialization.EventEmitters; public class StringQuotingEmitter: ChainedEventEmitter { // Patterns from https://yaml.org/spec/1.2/spec.html#id2804356 private static Regex quotedRegex = new Regex(@"^(\~|null|true|false|on|off|yes|no|y|n|[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?|[-+]?(\.inf))?$", RegexOptions.Compiled | RegexOptions.IgnoreCase); public StringQuotingEmitter(IEventEmitter next): base(next) {} public override void Emit(ScalarEventInfo eventInfo, IEmitter emitter) { var typeCode = eventInfo.Source.Value != null ? Type.GetTypeCode(eventInfo.Source.Type) : TypeCode.Empty; switch (typeCode) { case TypeCode.Char: if (Char.IsDigit((char)eventInfo.Source.Value)) { eventInfo.Style = ScalarStyle.DoubleQuoted; } break; case TypeCode.String: var val = eventInfo.Source.Value.ToString(); if (quotedRegex.IsMatch(val)) { eventInfo.Style = ScalarStyle.DoubleQuoted; } else if (val.IndexOf('\n') > -1) { eventInfo.Style = ScalarStyle.Literal; } break; } base.Emit(eventInfo, emitter); } public static SerializerBuilder Add(SerializerBuilder builder) { return builder.WithEventEmitter(next => new StringQuotingEmitter(next)); } }" ParameterBinding(Add-Type): name="ReferencedAssemblies"; value="C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\lib\net45\YamlDotNet.dll, C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll" ParameterBinding(Add-Type): name="Language"; value="CSharp" 4104152150x01539563649Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11powershell.exe -Command "New-ADGroup -Name 'ESX Admins' -GroupScope Global -GroupCategory Security"7f42c27e-bad8-4b29-981a-f2379313acbd