02/22/2022 06:12:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12113759 Keywords=None Message=Started invocation of ScriptBlock ID: eb33f7b2-dee9-470f-9426-b8e9040370a0 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=12113758 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-ADUser -Filter 'useraccountcontrol -band 4194304' ScriptBlock ID: eb33f7b2-dee9-470f-9426-b8e9040370a0 Path: 02/22/2022 06:12:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12113757 Keywords=None Message=Completed invocation of ScriptBlock ID: 705c35ce-c91d-4aeb-8235-ddbc30dd0a1c Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12113768 Keywords=None Message=Started invocation of ScriptBlock ID: 705c35ce-c91d-4aeb-8235-ddbc30dd0a1c Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12113767 Keywords=None Message=Completed invocation of ScriptBlock ID: 4d1a8ba6-4c48-4e92-aa60-49f4b3629293 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12113766 Keywords=None Message=Completed invocation of ScriptBlock ID: b80967b8-c43d-4513-868e-ebed106c0c42 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12113765 Keywords=None Message=Started invocation of ScriptBlock ID: b80967b8-c43d-4513-868e-ebed106c0c42 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12113764 Keywords=None Message=Started invocation of ScriptBlock ID: 4d1a8ba6-4c48-4e92-aa60-49f4b3629293 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=12113763 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 4d1a8ba6-4c48-4e92-aa60-49f4b3629293 Path: 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12113762 Keywords=None Message=Completed invocation of ScriptBlock ID: eb66c543-5eae-46cc-a960-5b118c8231b0 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12113761 Keywords=None Message=Started invocation of ScriptBlock ID: eb66c543-5eae-46cc-a960-5b118c8231b0 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e 02/22/2022 06:12:44 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12113760 Keywords=None Message=Completed invocation of ScriptBlock ID: eb33f7b2-dee9-470f-9426-b8e9040370a0 Runspace ID: 7827dd4f-865e-4265-b9e7-184dca74469e