11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88855 Keywords=None Message=Started invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88854 Keywords=None Message=Started invocation of ScriptBlock ID: 271f1f21-372f-4d91-b310-6bcec3a6d76d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88853 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 271f1f21-372f-4d91-b310-6bcec3a6d76d Path: 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=88852 Keywords=None Message=PowerShell console is ready for user input 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88851 Keywords=None Message=Completed invocation of ScriptBlock ID: e354f3c3-c6ee-42fd-a9ce-3a4bdcce4d67 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88850 Keywords=None Message=Started invocation of ScriptBlock ID: e354f3c3-c6ee-42fd-a9ce-3a4bdcce4d67 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88849 Keywords=None Message=Completed invocation of ScriptBlock ID: c52b1f7a-7202-4547-a3f4-97fddf5ef12e Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88848 Keywords=None Message=Started invocation of ScriptBlock ID: c52b1f7a-7202-4547-a3f4-97fddf5ef12e Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=88847 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 5912 in AppDomain: DefaultAppDomain. 11/25/2021 10:01:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=88846 Keywords=None Message=PowerShell console is starting up 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88862 Keywords=None Message=Completed invocation of ScriptBlock ID: a726aa0b-6a3d-4596-95b4-76d0543795ad Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88861 Keywords=None Message=Started invocation of ScriptBlock ID: a726aa0b-6a3d-4596-95b4-76d0543795ad Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88860 Keywords=None Message=Completed invocation of ScriptBlock ID: d8369ee4-fd73-4036-beaa-5fd069f38809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88859 Keywords=None Message=Started invocation of ScriptBlock ID: d8369ee4-fd73-4036-beaa-5fd069f38809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88858 Keywords=None Message=Started invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88857 Keywords=None Message=Completed invocation of ScriptBlock ID: 271f1f21-372f-4d91-b310-6bcec3a6d76d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88856 Keywords=None Message=Completed invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88864 Keywords=None Message=Completed invocation of ScriptBlock ID: 75ae5525-e7bd-469a-a5d5-03cb053feb0c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88863 Keywords=None Message=Started invocation of ScriptBlock ID: 75ae5525-e7bd-469a-a5d5-03cb053feb0c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88912 Keywords=None Message=Completed invocation of ScriptBlock ID: 892a28c5-5f50-461d-8489-9247b077097a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88911 Keywords=None Message=Started invocation of ScriptBlock ID: 892a28c5-5f50-461d-8489-9247b077097a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88910 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpSignature' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Update-MpSignature { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Update0')] [AllowEmptyString()] [AllowNull()] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('InternalDefinitionUpdateServer','MicrosoftUpdateServer','MMPC','FileShares')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpSignature.UpdateSource] ${UpdateSource}, [Parameter(ParameterSetName='Update0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Update0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Update0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('UpdateSource')) { [object]$__cmdletization_value = ${UpdateSource} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UpdateSource'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpSignature.UpdateSource'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UpdateSource'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpSignature.UpdateSource'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Update', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpSignature.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-MpSignature' -Alias '*' ScriptBlock ID: 892a28c5-5f50-461d-8489-9247b077097a Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88909 Keywords=None Message=Completed invocation of ScriptBlock ID: 3416c375-542c-4fd6-8bdb-62d3fb048df7 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88908 Keywords=None Message=Started invocation of ScriptBlock ID: 3416c375-542c-4fd6-8bdb-62d3fb048df7 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88907 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpScan' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Start-MpScan { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Start0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${ScanPath}, [Parameter(ParameterSetName='Start0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('FullScan','QuickScan','CustomScan')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpScan.ScanType] ${ScanType}, [Parameter(ParameterSetName='Start0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Start0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Start0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanPath')) { [object]$__cmdletization_value = ${ScanPath} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanType')) { [object]$__cmdletization_value = ${ScanType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpScan.ScanType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpScan.ScanType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Start', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpScan.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Start-MpScan' -Alias '*' ScriptBlock ID: 3416c375-542c-4fd6-8bdb-62d3fb048df7 Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88906 Keywords=None Message=Completed invocation of ScriptBlock ID: 154f92eb-1e3b-446c-9005-6b6d196dcbe7 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88905 Keywords=None Message=Started invocation of ScriptBlock ID: 154f92eb-1e3b-446c-9005-6b6d196dcbe7 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88904 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpThreatDetection' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-MpThreatDetection { [CmdletBinding(DefaultParameterSetName='DefaultSet', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#ROOT\Microsoft\Windows\Defender\MSFT_MpThreatDetection')] param( [Parameter(ParameterSetName='ById')] [Alias('ID')] [ValidateNotNull()] [long[]] ${ThreatID}, [Parameter(ParameterSetName='ById')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ById')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ById')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('ThreatID') -and (@('ById') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ThreatID}) $__cmdletization_queryBuilder.FilterByProperty('ThreatID', $__cmdletization_values, $false, 'Default') } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpThreatDetection.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-MpThreatDetection' -Alias '*' ScriptBlock ID: 154f92eb-1e3b-446c-9005-6b6d196dcbe7 Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88903 Keywords=None Message=Completed invocation of ScriptBlock ID: 5c3ff9e7-7517-42da-9311-a468a87e03d0 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88902 Keywords=None Message=Started invocation of ScriptBlock ID: 5c3ff9e7-7517-42da-9311-a468a87e03d0 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88901 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpThreatCatalog' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-MpThreatCatalog { [CmdletBinding(DefaultParameterSetName='DefaultSet', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#ROOT\Microsoft\Windows\Defender\MSFT_MpThreatCatalog')] param( [Parameter(ParameterSetName='ById')] [Alias('ID')] [ValidateNotNull()] [long[]] ${ThreatID}, [Parameter(ParameterSetName='ById')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ById')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ById')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('ThreatID') -and (@('ById') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ThreatID}) $__cmdletization_queryBuilder.FilterByProperty('ThreatID', $__cmdletization_values, $false, 'Default') } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpThreatCatalog.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-MpThreatCatalog' -Alias '*' ScriptBlock ID: 5c3ff9e7-7517-42da-9311-a468a87e03d0 Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88900 Keywords=None Message=Completed invocation of ScriptBlock ID: 9bfd0a50-76fc-414a-93e3-0b4057afe609 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88899 Keywords=None Message=Started invocation of ScriptBlock ID: 9bfd0a50-76fc-414a-93e3-0b4057afe609 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88898 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpThreat' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Remove-MpThreat { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Remove0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Remove0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Remove0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Remove', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpThreat.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-MpThreat' -Alias '*' function Get-MpThreat { [CmdletBinding(DefaultParameterSetName='DefaultSet', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#ROOT\Microsoft\Windows\Defender\MSFT_MpThreat')] param( [Parameter(ParameterSetName='ById')] [Alias('ID')] [ValidateNotNull()] [long[]] ${ThreatID}, [Parameter(ParameterSetName='ById')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ById')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ById')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('ThreatID') -and (@('ById') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ThreatID}) $__cmdletization_queryBuilder.FilterByProperty('ThreatID', $__cmdletization_values, $false, 'Default') } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpThreat.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-MpThreat' -Alias '*' ScriptBlock ID: 9bfd0a50-76fc-414a-93e3-0b4057afe609 Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88897 Keywords=None Message=Completed invocation of ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88896 Keywords=None Message=Started invocation of ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88895 Keywords=None Message=Creating Scriptblock text (21 of 21): [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowNetworkProtectionDownLevel')) { [object]$__cmdletization_value = ${AllowNetworkProtectionDownLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionDownLevel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionDownLevel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowDatagramProcessingOnWinServer')) { [object]$__cmdletization_value = ${AllowDatagramProcessingOnWinServer} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowDatagramProcessingOnWinServer'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowDatagramProcessingOnWinServer'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableDnsSinkhole')) { [object]$__cmdletization_value = ${EnableDnsSinkhole} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableDnsSinkhole'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableDnsSinkhole'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableInboundConnectionFiltering')) { [object]$__cmdletization_value = ${DisableInboundConnectionFiltering} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableInboundConnectionFiltering'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableInboundConnectionFiltering'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRdpParsing')) { [object]$__cmdletization_value = ${DisableRdpParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRdpParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRdpParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableNetworkProtectionPerfTelemetry')) { [object]$__cmdletization_value = ${DisableNetworkProtectionPerfTelemetry} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableNetworkProtectionPerfTelemetry'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableNetworkProtectionPerfTelemetry'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('TrustLabelProtectionStatus')) { [object]$__cmdletization_value = ${TrustLabelProtectionStatus} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'TrustLabelProtectionStatus'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'TrustLabelProtectionStatus'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Force')) { [object]$__cmdletization_value = ${Force} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:operationOption:Force'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:operationOption:Force'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Remove', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpPreference.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-MpPreference' -Alias '*' function Get-MpPreference { [CmdletBinding(DefaultParameterSetName='DefaultSet', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root\Microsoft\Windows\Defender\MSFT_MpPreference')] param( [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [int] ${ThrottleLimit}, [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpPreference.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-MpPreference' -Alias '*' ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88894 Keywords=None Message=Creating Scriptblock text (20 of 21): '; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyPacUrl'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ProxyServer')) { [object]$__cmdletization_value = ${ProxyServer} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyServer'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyServer'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ProxyBypass')) { [object]$__cmdletization_value = ${ProxyBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyBypass'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyBypass'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceUseProxyOnly')) { [object]$__cmdletization_value = ${ForceUseProxyOnly} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceUseProxyOnly'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceUseProxyOnly'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableTlsParsing')) { [object]$__cmdletization_value = ${DisableTlsParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableTlsParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableTlsParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableHttpParsing')) { [object]$__cmdletization_value = ${DisableHttpParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableHttpParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableHttpParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableDnsParsing')) { [object]$__cmdletization_value = ${DisableDnsParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableDnsOverTcpParsing')) { [object]$__cmdletization_value = ${DisableDnsOverTcpParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsOverTcpParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsOverTcpParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableSshParsing')) { [object]$__cmdletization_value = ${DisableSshParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableSshParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableSshParsing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PlatformUpdatesChannel')) { [object]$__cmdletization_value = ${PlatformUpdatesChannel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PlatformUpdatesChannel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PlatformUpdatesChannel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EngineUpdatesChannel')) { [object]$__cmdletization_value = ${EngineUpdatesChannel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EngineUpdatesChannel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EngineUpdatesChannel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefinitionUpdatesChannel')) { [object]$__cmdletization_value = ${DefinitionUpdatesChannel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefinitionUpdatesChannel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefinitionUpdatesChannel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableGradualRelease')) { [object]$__cmdletization_value = ${DisableGradualRelease} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableGradualRelease'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableGradualRelease'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88893 Keywords=None Message=Creating Scriptblock text (19 of 21): __cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudBlockLevel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudBlockLevel'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CloudExtendedTimeout')) { [object]$__cmdletization_value = ${CloudExtendedTimeout} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudExtendedTimeout'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudExtendedTimeout'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableNetworkProtection')) { [object]$__cmdletization_value = ${EnableNetworkProtection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableNetworkProtection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableNetworkProtection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableControlledFolderAccess')) { [object]$__cmdletization_value = ${EnableControlledFolderAccess} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableControlledFolderAccess'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableControlledFolderAccess'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionOnlyExclusions')) { [object]$__cmdletization_value = ${AttackSurfaceReductionOnlyExclusions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionOnlyExclusions'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionOnlyExclusions'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ControlledFolderAccessAllowedApplications')) { [object]$__cmdletization_value = ${ControlledFolderAccessAllowedApplications} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessAllowedApplications'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessAllowedApplications'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ControlledFolderAccessProtectedFolders')) { [object]$__cmdletization_value = ${ControlledFolderAccessProtectedFolders} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessProtectedFolders'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessProtectedFolders'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionRules_Ids')) { [object]$__cmdletization_value = ${AttackSurfaceReductionRules_Ids} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Ids'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Ids'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionRules_Actions')) { [object]$__cmdletization_value = ${AttackSurfaceReductionRules_Actions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableLowCpuPriority')) { [object]$__cmdletization_value = ${EnableLowCpuPriority} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableLowCpuPriority'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableLowCpuPriority'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableFileHashComputation')) { [object]$__cmdletization_value = ${EnableFileHashComputation} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFileHashComputation'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFileHashComputation'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableFullScanOnBatteryPower')) { [object]$__cmdletization_value = ${EnableFullScanOnBatteryPower} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFullScanOnBatteryPower'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFullScanOnBatteryPower'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ProxyPacUrl')) { [object]$__cmdletization_value = ${ProxyPacUrl} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyPacUrl'; ParameterType = 'System.Management.Automation.SwitchParameter ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88892 Keywords=None Message=Creating Scriptblock text (18 of 21): tization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableScanningMappedNetworkDrivesForFullScan')) { [object]$__cmdletization_value = ${DisableScanningMappedNetworkDrivesForFullScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningMappedNetworkDrivesForFullScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningMappedNetworkDrivesForFullScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableScanningNetworkFiles')) { [object]$__cmdletization_value = ${DisableScanningNetworkFiles} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningNetworkFiles'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningNetworkFiles'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('UILockdown')) { [object]$__cmdletization_value = ${UILockdown} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UILockdown'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UILockdown'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThreatIDDefaultAction_Ids')) { [object]$__cmdletization_value = ${ThreatIDDefaultAction_Ids} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Ids'; ParameterType = 'System.Int64[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Ids'; ParameterType = 'System.Int64[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThreatIDDefaultAction_Actions')) { [object]$__cmdletization_value = ${ThreatIDDefaultAction_Actions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('UnknownThreatDefaultAction')) { [object]$__cmdletization_value = ${UnknownThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UnknownThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UnknownThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LowThreatDefaultAction')) { [object]$__cmdletization_value = ${LowThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LowThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LowThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ModerateThreatDefaultAction')) { [object]$__cmdletization_value = ${ModerateThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ModerateThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ModerateThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('HighThreatDefaultAction')) { [object]$__cmdletization_value = ${HighThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'HighThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'HighThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SevereThreatDefaultAction')) { [object]$__cmdletization_value = ${SevereThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SevereThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SevereThreatDefaultAction'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableBlockAtFirstSeen')) { [object]$__cmdletization_value = ${DisableBlockAtFirstSeen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBlockAtFirstSeen'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBlockAtFirstSeen'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PUAProtection')) { [object]$__cmdletization_value = ${PUAProtection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PUAProtection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PUAProtection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CloudBlockLevel')) { [object]$__cmdletization_value = ${CloudBlockLevel} $ ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88891 Keywords=None Message=Creating Scriptblock text (17 of 21): luePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SchedulerRandomizationTime')) { [object]$__cmdletization_value = ${SchedulerRandomizationTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SchedulerRandomizationTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SchedulerRandomizationTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableBehaviorMonitoring')) { [object]$__cmdletization_value = ${DisableBehaviorMonitoring} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBehaviorMonitoring'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBehaviorMonitoring'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableIntrusionPreventionSystem')) { [object]$__cmdletization_value = ${DisableIntrusionPreventionSystem} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIntrusionPreventionSystem'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIntrusionPreventionSystem'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableIOAVProtection')) { [object]$__cmdletization_value = ${DisableIOAVProtection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIOAVProtection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIOAVProtection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRealtimeMonitoring')) { [object]$__cmdletization_value = ${DisableRealtimeMonitoring} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRealtimeMonitoring'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRealtimeMonitoring'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableScriptScanning')) { [object]$__cmdletization_value = ${DisableScriptScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScriptScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScriptScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableArchiveScanning')) { [object]$__cmdletization_value = ${DisableArchiveScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableArchiveScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableArchiveScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableCatchupFullScan')) { [object]$__cmdletization_value = ${DisableCatchupFullScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupFullScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupFullScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableCatchupQuickScan')) { [object]$__cmdletization_value = ${DisableCatchupQuickScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupQuickScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupQuickScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableEmailScanning')) { [object]$__cmdletization_value = ${DisableEmailScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableEmailScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableEmailScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRemovableDriveScanning')) { [object]$__cmdletization_value = ${DisableRemovableDriveScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRemovableDriveScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRemovableDriveScanning'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRestorePoint')) { [object]$__cmdletization_value = ${DisableRestorePoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRestorePoint'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRestorePoint'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdle ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88890 Keywords=None Message=Creating Scriptblock text (16 of 21): ft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateCatchupInterval'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureUpdateInterval')) { [object]$__cmdletization_value = ${SignatureUpdateInterval} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateInterval'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateInterval'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureBlobUpdateInterval')) { [object]$__cmdletization_value = ${SignatureBlobUpdateInterval} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobUpdateInterval'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobUpdateInterval'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureBlobFileSharesSources')) { [object]$__cmdletization_value = ${SignatureBlobFileSharesSources} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobFileSharesSources'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobFileSharesSources'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MeteredConnectionUpdates')) { [object]$__cmdletization_value = ${MeteredConnectionUpdates} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MeteredConnectionUpdates'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MeteredConnectionUpdates'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowNetworkProtectionOnWinServer')) { [object]$__cmdletization_value = ${AllowNetworkProtectionOnWinServer} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionOnWinServer'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionOnWinServer'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableDatagramProcessing')) { [object]$__cmdletization_value = ${DisableDatagramProcessing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDatagramProcessing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDatagramProcessing'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableCpuThrottleOnIdleScans')) { [object]$__cmdletization_value = ${DisableCpuThrottleOnIdleScans} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCpuThrottleOnIdleScans'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCpuThrottleOnIdleScans'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MAPSReporting')) { [object]$__cmdletization_value = ${MAPSReporting} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MAPSReporting'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MAPSReporting'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SubmitSamplesConsent')) { [object]$__cmdletization_value = ${SubmitSamplesConsent} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SubmitSamplesConsent'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SubmitSamplesConsent'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableAutoExclusions')) { [object]$__cmdletization_value = ${DisableAutoExclusions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableAutoExclusions'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableAutoExclusions'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisablePrivacyMode')) { [object]$__cmdletization_value = ${DisablePrivacyMode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisablePrivacyMode'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisablePrivacyMode'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RandomizeScheduleTaskTimes')) { [object]$__cmdletization_value = ${RandomizeScheduleTaskTimes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RandomizeScheduleTaskTimes'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RandomizeScheduleTaskTimes'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsVa ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88889 Keywords=None Message=Creating Scriptblock text (15 of 21): letization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleDay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanScheduleQuickScanTime')) { [object]$__cmdletization_value = ${ScanScheduleQuickScanTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleQuickScanTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleQuickScanTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanScheduleTime')) { [object]$__cmdletization_value = ${ScanScheduleTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThrottleForScheduledScanOnly')) { [object]$__cmdletization_value = ${ThrottleForScheduledScanOnly} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThrottleForScheduledScanOnly'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThrottleForScheduledScanOnly'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureFirstAuGracePeriod')) { [object]$__cmdletization_value = ${SignatureFirstAuGracePeriod} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFirstAuGracePeriod'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFirstAuGracePeriod'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureAuGracePeriod')) { [object]$__cmdletization_value = ${SignatureAuGracePeriod} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureAuGracePeriod'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureAuGracePeriod'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureDefinitionUpdateFileSharesSources')) { [object]$__cmdletization_value = ${SignatureDefinitionUpdateFileSharesSources} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDefinitionUpdateFileSharesSources'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDefinitionUpdateFileSharesSources'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureDisableUpdateOnStartupWithoutEngine')) { [object]$__cmdletization_value = ${SignatureDisableUpdateOnStartupWithoutEngine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDisableUpdateOnStartupWithoutEngine'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDisableUpdateOnStartupWithoutEngine'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureFallbackOrder')) { [object]$__cmdletization_value = ${SignatureFallbackOrder} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFallbackOrder'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFallbackOrder'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SharedSignaturesPath')) { [object]$__cmdletization_value = ${SharedSignaturesPath} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SharedSignaturesPath'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SharedSignaturesPath'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureScheduleDay')) { [object]$__cmdletization_value = ${SignatureScheduleDay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleDay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleDay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureScheduleTime')) { [object]$__cmdletization_value = ${SignatureScheduleTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureUpdateCatchupInterval')) { [object]$__cmdletization_value = ${SignatureUpdateCatchupInterval} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateCatchupInterval'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microso ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88888 Keywords=None Message=Creating Scriptblock text (14 of 21): r = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RealTimeScanDirection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RealTimeScanDirection'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuarantinePurgeItemsAfterDelay')) { [object]$__cmdletization_value = ${QuarantinePurgeItemsAfterDelay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuarantinePurgeItemsAfterDelay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuarantinePurgeItemsAfterDelay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemediationScheduleDay')) { [object]$__cmdletization_value = ${RemediationScheduleDay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleDay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleDay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemediationScheduleTime')) { [object]$__cmdletization_value = ${RemediationScheduleTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleTime'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ReportingAdditionalActionTimeOut')) { [object]$__cmdletization_value = ${ReportingAdditionalActionTimeOut} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingAdditionalActionTimeOut'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingAdditionalActionTimeOut'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ReportingCriticalFailureTimeOut')) { [object]$__cmdletization_value = ${ReportingCriticalFailureTimeOut} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingCriticalFailureTimeOut'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingCriticalFailureTimeOut'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ReportingNonCriticalTimeOut')) { [object]$__cmdletization_value = ${ReportingNonCriticalTimeOut} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingNonCriticalTimeOut'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingNonCriticalTimeOut'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanAvgCPULoadFactor')) { [object]$__cmdletization_value = ${ScanAvgCPULoadFactor} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanAvgCPULoadFactor'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanAvgCPULoadFactor'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CheckForSignaturesBeforeRunningScan')) { [object]$__cmdletization_value = ${CheckForSignaturesBeforeRunningScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CheckForSignaturesBeforeRunningScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CheckForSignaturesBeforeRunningScan'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanPurgeItemsAfterDelay')) { [object]$__cmdletization_value = ${ScanPurgeItemsAfterDelay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanPurgeItemsAfterDelay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanPurgeItemsAfterDelay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanOnlyIfIdleEnabled')) { [object]$__cmdletization_value = ${ScanOnlyIfIdleEnabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanOnlyIfIdleEnabled'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanOnlyIfIdleEnabled'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanParameters')) { [object]$__cmdletization_value = ${ScanParameters} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanParameters'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanParameters'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanScheduleDay')) { [object]$__cmdletization_value = ${ScanScheduleDay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleDay'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmd ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88887 Keywords=None Message=Creating Scriptblock text (13 of 21): etName='Remove2')] [Alias('htdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${HighThreatDefaultAction}, [Parameter(ParameterSetName='Remove2')] [Alias('stdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SevereThreatDefaultAction}, [Parameter(ParameterSetName='Remove2')] [Alias('dbaf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableBlockAtFirstSeen}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${PUAProtection}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${CloudBlockLevel}, [Parameter(ParameterSetName='Remove2')] [Alias('cloudextimeout')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${CloudExtendedTimeout}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EnableNetworkProtection}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EnableControlledFolderAccess}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${AttackSurfaceReductionOnlyExclusions}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ControlledFolderAccessAllowedApplications}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ControlledFolderAccessProtectedFolders}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${AttackSurfaceReductionRules_Ids}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]] ${AttackSurfaceReductionRules_Actions}, [Parameter(ParameterSetName='Remove2')] [Alias('elcp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EnableLowCpuPriority}, [Parameter(ParameterSetName='Remove2')] [Alias('efhc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EnableFileHashComputation}, [Parameter(ParameterSetName='Remove2')] [Alias('efsobp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EnableFullScanOnBatteryPower}, [Parameter(ParameterSetName='Remove2')] [Alias('ppurl')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ProxyPacUrl}, [Parameter(ParameterSetName='Remove2')] [Alias('proxsrv')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ProxyServer}, [Parameter(ParameterSetName='Remove2')] [Alias('proxbps')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ProxyBypass}, [Parameter(ParameterSetName='Remove2')] [Alias('fupo')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ForceUseProxyOnly}, [Parameter(ParameterSetName='Remove2')] [Alias('dtlsp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableTlsParsing}, [Parameter(ParameterSetName='Remove2')] [Alias('dhttpp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableHttpParsing}, [Parameter(ParameterSetName='Remove2')] [Alias('ddnsp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableDnsParsing}, [Parameter(ParameterSetName='Remove2')] [Alias('ddnstcpp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableDnsOverTcpParsing}, [Parameter(ParameterSetName='Remove2')] [Alias('dsshp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableSshParsing}, [Parameter(ParameterSetName='Remove2')] [Alias('puc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${PlatformUpdatesChannel}, [Parameter(ParameterSetName='Remove2')] [Alias('euc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EngineUpdatesChannel}, [Parameter(ParameterSetName='Remove2')] [Alias('duc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DefinitionUpdatesChannel}, [Parameter(ParameterSetName='Remove2')] [Alias('dgr')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableGradualRelease}, [Parameter(ParameterSetName='Remove2')] [Alias('anpdl')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${AllowNetworkProtectionDownLevel}, [Parameter(ParameterSetName='Remove2')] [Alias('adpows')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${AllowDatagramProcessingOnWinServer}, [Parameter(ParameterSetName='Remove2')] [Alias('ednss')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${EnableDnsSinkhole}, [Parameter(ParameterSetName='Remove2')] [Alias('dicf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableInboundConnectionFiltering}, [Parameter(ParameterSetName='Remove2')] [Alias('drdpp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableRdpParsing}, [Parameter(ParameterSetName='Remove2')] [Alias('dnppt')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableNetworkProtectionPerfTelemetry}, [Parameter(ParameterSetName='Remove2')] [Alias('tlps')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${TrustLabelProtectionStatus}, [Parameter(ParameterSetName='Remove2')] [switch] ${Force}, [Parameter(ParameterSetName='Remove2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Remove2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Remove2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionPath')) { [object]$__cmdletization_value = ${ExclusionPath} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionPath'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionPath'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionExtension')) { [object]$__cmdletization_value = ${ExclusionExtension} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionExtension'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionExtension'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionProcess')) { [object]$__cmdletization_value = ${ExclusionProcess} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionProcess'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionProcess'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionIpAddress')) { [object]$__cmdletization_value = ${ExclusionIpAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionIpAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionIpAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RealTimeScanDirection')) { [object]$__cmdletization_value = ${RealTimeScanDirection} $__cmdletization_methodParamete ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88886 Keywords=None Message=Creating Scriptblock text (12 of 21): $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Add', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpPreference.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Add-MpPreference' -Alias '*' function Remove-MpPreference { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionPath}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionExtension}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionProcess}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionIpAddress}, [Parameter(ParameterSetName='Remove2')] [Alias('rtsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${RealTimeScanDirection}, [Parameter(ParameterSetName='Remove2')] [Alias('qpiad')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${QuarantinePurgeItemsAfterDelay}, [Parameter(ParameterSetName='Remove2')] [Alias('rsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${RemediationScheduleDay}, [Parameter(ParameterSetName='Remove2')] [Alias('rst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${RemediationScheduleTime}, [Parameter(ParameterSetName='Remove2')] [Alias('raat')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ReportingAdditionalActionTimeOut}, [Parameter(ParameterSetName='Remove2')] [Alias('rcto')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ReportingCriticalFailureTimeOut}, [Parameter(ParameterSetName='Remove2')] [Alias('rncto')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ReportingNonCriticalTimeOut}, [Parameter(ParameterSetName='Remove2')] [Alias('saclf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanAvgCPULoadFactor}, [Parameter(ParameterSetName='Remove2')] [Alias('csbr')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${CheckForSignaturesBeforeRunningScan}, [Parameter(ParameterSetName='Remove2')] [Alias('spiad')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanPurgeItemsAfterDelay}, [Parameter(ParameterSetName='Remove2')] [Alias('soiie')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanOnlyIfIdleEnabled}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanParameters}, [Parameter(ParameterSetName='Remove2')] [Alias('scsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanScheduleDay}, [Parameter(ParameterSetName='Remove2')] [Alias('scsqst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanScheduleQuickScanTime}, [Parameter(ParameterSetName='Remove2')] [Alias('scst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ScanScheduleTime}, [Parameter(ParameterSetName='Remove2')] [Alias('tfsso')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ThrottleForScheduledScanOnly}, [Parameter(ParameterSetName='Remove2')] [Alias('sigfagp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureFirstAuGracePeriod}, [Parameter(ParameterSetName='Remove2')] [Alias('sigagp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureAuGracePeriod}, [Parameter(ParameterSetName='Remove2')] [Alias('sigdufss')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureDefinitionUpdateFileSharesSources}, [Parameter(ParameterSetName='Remove2')] [Alias('sigduoswo')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureDisableUpdateOnStartupWithoutEngine}, [Parameter(ParameterSetName='Remove2')] [Alias('sfo')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureFallbackOrder}, [Parameter(ParameterSetName='Remove2')] [Alias('ssp','SecurityIntelligenceLocation','ssl')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SharedSignaturesPath}, [Parameter(ParameterSetName='Remove2')] [Alias('sigsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureScheduleDay}, [Parameter(ParameterSetName='Remove2')] [Alias('sigst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureScheduleTime}, [Parameter(ParameterSetName='Remove2')] [Alias('siguci')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureUpdateCatchupInterval}, [Parameter(ParameterSetName='Remove2')] [Alias('sigui')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureUpdateInterval}, [Parameter(ParameterSetName='Remove2')] [Alias('sigbui')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureBlobUpdateInterval}, [Parameter(ParameterSetName='Remove2')] [Alias('sigbfs')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SignatureBlobFileSharesSources}, [Parameter(ParameterSetName='Remove2')] [Alias('mcupd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${MeteredConnectionUpdates}, [Parameter(ParameterSetName='Remove2')] [Alias('anpws')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${AllowNetworkProtectionOnWinServer}, [Parameter(ParameterSetName='Remove2')] [Alias('ddtgp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableDatagramProcessing}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableCpuThrottleOnIdleScans}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${MAPSReporting}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SubmitSamplesConsent}, [Parameter(ParameterSetName='Remove2')] [Alias('dae')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableAutoExclusions}, [Parameter(ParameterSetName='Remove2')] [Alias('dpm')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisablePrivacyMode}, [Parameter(ParameterSetName='Remove2')] [Alias('rstt')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${RandomizeScheduleTaskTimes}, [Parameter(ParameterSetName='Remove2')] [Alias('srt')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${SchedulerRandomizationTime}, [Parameter(ParameterSetName='Remove2')] [Alias('dbm')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableBehaviorMonitoring}, [Parameter(ParameterSetName='Remove2')] [Alias('dips')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableIntrusionPreventionSystem}, [Parameter(ParameterSetName='Remove2')] [Alias('dioavp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableIOAVProtection}, [Parameter(ParameterSetName='Remove2')] [Alias('drtm')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableRealtimeMonitoring}, [Parameter(ParameterSetName='Remove2')] [Alias('dscrptsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableScriptScanning}, [Parameter(ParameterSetName='Remove2')] [Alias('darchsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableArchiveScanning}, [Parameter(ParameterSetName='Remove2')] [Alias('dcfsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableCatchupFullScan}, [Parameter(ParameterSetName='Remove2')] [Alias('dcqsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableCatchupQuickScan}, [Parameter(ParameterSetName='Remove2')] [Alias('demsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableEmailScanning}, [Parameter(ParameterSetName='Remove2')] [Alias('drdsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableRemovableDriveScanning}, [Parameter(ParameterSetName='Remove2')] [Alias('drp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableRestorePoint}, [Parameter(ParameterSetName='Remove2')] [Alias('dsmndfsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableScanningMappedNetworkDrivesForFullScan}, [Parameter(ParameterSetName='Remove2')] [Alias('dsnf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${DisableScanningNetworkFiles}, [Parameter(ParameterSetName='Remove2')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${UILockdown}, [Parameter(ParameterSetName='Remove2')] [Alias('tiddefaci')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [long[]] ${ThreatIDDefaultAction_Ids}, [Parameter(ParameterSetName='Remove2')] [Alias('tiddefaca')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]] ${ThreatIDDefaultAction_Actions}, [Parameter(ParameterSetName='Remove2')] [Alias('unktdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${UnknownThreatDefaultAction}, [Parameter(ParameterSetName='Remove2')] [Alias('ltdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${LowThreatDefaultAction}, [Parameter(ParameterSetName='Remove2')] [Alias('mtdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [switch] ${ModerateThreatDefaultAction}, [Parameter(ParameterS ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88885 Keywords=None Message=Creating Scriptblock text (11 of 21): undParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionPath')) { [object]$__cmdletization_value = ${ExclusionPath} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionPath'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionPath'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionExtension')) { [object]$__cmdletization_value = ${ExclusionExtension} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionExtension'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionExtension'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionProcess')) { [object]$__cmdletization_value = ${ExclusionProcess} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionProcess'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionProcess'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionIpAddress')) { [object]$__cmdletization_value = ${ExclusionIpAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionIpAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionIpAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThreatIDDefaultAction_Ids')) { [object]$__cmdletization_value = ${ThreatIDDefaultAction_Ids} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Ids'; ParameterType = 'System.Int64[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Ids'; ParameterType = 'System.Int64[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThreatIDDefaultAction_Actions')) { [object]$__cmdletization_value = ${ThreatIDDefaultAction_Actions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionOnlyExclusions')) { [object]$__cmdletization_value = ${AttackSurfaceReductionOnlyExclusions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionOnlyExclusions'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionOnlyExclusions'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ControlledFolderAccessAllowedApplications')) { [object]$__cmdletization_value = ${ControlledFolderAccessAllowedApplications} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessAllowedApplications'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessAllowedApplications'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ControlledFolderAccessProtectedFolders')) { [object]$__cmdletization_value = ${ControlledFolderAccessProtectedFolders} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessProtectedFolders'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessProtectedFolders'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionRules_Ids')) { [object]$__cmdletization_value = ${AttackSurfaceReductionRules_Ids} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Ids'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Ids'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionRules_Actions')) { [object]$__cmdletization_value = ${AttackSurfaceReductionRules_Actions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Force')) { [object]$__cmdletization_value = ${Force} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:operationOption:Force'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:operationOption:Force'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88884 Keywords=None Message=Creating Scriptblock text (10 of 21): methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableGradualRelease')) { [object]$__cmdletization_value = ${DisableGradualRelease} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableGradualRelease'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableGradualRelease'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowNetworkProtectionDownLevel')) { [object]$__cmdletization_value = ${AllowNetworkProtectionDownLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionDownLevel'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionDownLevel'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowDatagramProcessingOnWinServer')) { [object]$__cmdletization_value = ${AllowDatagramProcessingOnWinServer} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowDatagramProcessingOnWinServer'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowDatagramProcessingOnWinServer'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableDnsSinkhole')) { [object]$__cmdletization_value = ${EnableDnsSinkhole} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableDnsSinkhole'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableDnsSinkhole'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableInboundConnectionFiltering')) { [object]$__cmdletization_value = ${DisableInboundConnectionFiltering} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableInboundConnectionFiltering'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableInboundConnectionFiltering'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRdpParsing')) { [object]$__cmdletization_value = ${DisableRdpParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRdpParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRdpParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableNetworkProtectionPerfTelemetry')) { [object]$__cmdletization_value = ${DisableNetworkProtectionPerfTelemetry} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableNetworkProtectionPerfTelemetry'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableNetworkProtectionPerfTelemetry'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('TrustLabelProtectionStatus')) { [object]$__cmdletization_value = ${TrustLabelProtectionStatus} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'TrustLabelProtectionStatus'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'TrustLabelProtectionStatus'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Set', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpPreference.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-MpPreference' -Alias '*' function Add-MpPreference { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionPath}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionExtension}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionProcess}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionIpAddress}, [Parameter(ParameterSetName='Add1')] [Alias('tiddefaci')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [long[]] ${ThreatIDDefaultAction_Ids}, [Parameter(ParameterSetName='Add1')] [Alias('tiddefaca')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]] ${ThreatIDDefaultAction_Actions}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${AttackSurfaceReductionOnlyExclusions}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ControlledFolderAccessAllowedApplications}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ControlledFolderAccessProtectedFolders}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${AttackSurfaceReductionRules_Ids}, [Parameter(ParameterSetName='Add1')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]] ${AttackSurfaceReductionRules_Actions}, [Parameter(ParameterSetName='Add1')] [switch] ${Force}, [Parameter(ParameterSetName='Add1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Add1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Add1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBo ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88883 Keywords=None Message=Creating Scriptblock text (9 of 21): $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableFullScanOnBatteryPower')) { [object]$__cmdletization_value = ${EnableFullScanOnBatteryPower} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFullScanOnBatteryPower'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFullScanOnBatteryPower'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ProxyPacUrl')) { [object]$__cmdletization_value = ${ProxyPacUrl} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyPacUrl'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyPacUrl'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ProxyServer')) { [object]$__cmdletization_value = ${ProxyServer} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyServer'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyServer'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ProxyBypass')) { [object]$__cmdletization_value = ${ProxyBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyBypass'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ProxyBypass'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceUseProxyOnly')) { [object]$__cmdletization_value = ${ForceUseProxyOnly} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceUseProxyOnly'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceUseProxyOnly'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableTlsParsing')) { [object]$__cmdletization_value = ${DisableTlsParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableTlsParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableTlsParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableHttpParsing')) { [object]$__cmdletization_value = ${DisableHttpParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableHttpParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableHttpParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableDnsParsing')) { [object]$__cmdletization_value = ${DisableDnsParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableDnsOverTcpParsing')) { [object]$__cmdletization_value = ${DisableDnsOverTcpParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsOverTcpParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDnsOverTcpParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableSshParsing')) { [object]$__cmdletization_value = ${DisableSshParsing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableSshParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableSshParsing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PlatformUpdatesChannel')) { [object]$__cmdletization_value = ${PlatformUpdatesChannel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PlatformUpdatesChannel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PlatformUpdatesChannel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EngineUpdatesChannel')) { [object]$__cmdletization_value = ${EngineUpdatesChannel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EngineUpdatesChannel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EngineUpdatesChannel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefinitionUpdatesChannel')) { [object]$__cmdletization_value = ${DefinitionUpdatesChannel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefinitionUpdatesChannel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefinitionUpdatesChannel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_ ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88882 Keywords=None Message=Creating Scriptblock text (8 of 21): eters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PUAProtection')) { [object]$__cmdletization_value = ${PUAProtection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PUAProtection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PUAProtection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CloudBlockLevel')) { [object]$__cmdletization_value = ${CloudBlockLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudBlockLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.CloudBlockLevelType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudBlockLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.CloudBlockLevelType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CloudExtendedTimeout')) { [object]$__cmdletization_value = ${CloudExtendedTimeout} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudExtendedTimeout'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CloudExtendedTimeout'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableNetworkProtection')) { [object]$__cmdletization_value = ${EnableNetworkProtection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableNetworkProtection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableNetworkProtection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableControlledFolderAccess')) { [object]$__cmdletization_value = ${EnableControlledFolderAccess} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableControlledFolderAccess'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ControlledFolderAccessType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableControlledFolderAccess'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ControlledFolderAccessType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionOnlyExclusions')) { [object]$__cmdletization_value = ${AttackSurfaceReductionOnlyExclusions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionOnlyExclusions'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionOnlyExclusions'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ControlledFolderAccessAllowedApplications')) { [object]$__cmdletization_value = ${ControlledFolderAccessAllowedApplications} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessAllowedApplications'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessAllowedApplications'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ControlledFolderAccessProtectedFolders')) { [object]$__cmdletization_value = ${ControlledFolderAccessProtectedFolders} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessProtectedFolders'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ControlledFolderAccessProtectedFolders'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionRules_Ids')) { [object]$__cmdletization_value = ${AttackSurfaceReductionRules_Ids} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Ids'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Ids'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AttackSurfaceReductionRules_Actions')) { [object]$__cmdletization_value = ${AttackSurfaceReductionRules_Actions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AttackSurfaceReductionRules_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableLowCpuPriority')) { [object]$__cmdletization_value = ${EnableLowCpuPriority} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableLowCpuPriority'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableLowCpuPriority'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableFileHashComputation')) { [object]$__cmdletization_value = ${EnableFileHashComputation} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFileHashComputation'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableFileHashComputation'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88881 Keywords=None Message=Creating Scriptblock text (7 of 21): ValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableScanningMappedNetworkDrivesForFullScan')) { [object]$__cmdletization_value = ${DisableScanningMappedNetworkDrivesForFullScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningMappedNetworkDrivesForFullScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningMappedNetworkDrivesForFullScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableScanningNetworkFiles')) { [object]$__cmdletization_value = ${DisableScanningNetworkFiles} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningNetworkFiles'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScanningNetworkFiles'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('UILockdown')) { [object]$__cmdletization_value = ${UILockdown} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UILockdown'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UILockdown'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThreatIDDefaultAction_Ids')) { [object]$__cmdletization_value = ${ThreatIDDefaultAction_Ids} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Ids'; ParameterType = 'System.Int64[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Ids'; ParameterType = 'System.Int64[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThreatIDDefaultAction_Actions')) { [object]$__cmdletization_value = ${ThreatIDDefaultAction_Actions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThreatIDDefaultAction_Actions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('UnknownThreatDefaultAction')) { [object]$__cmdletization_value = ${UnknownThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UnknownThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'UnknownThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LowThreatDefaultAction')) { [object]$__cmdletization_value = ${LowThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LowThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LowThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ModerateThreatDefaultAction')) { [object]$__cmdletization_value = ${ModerateThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ModerateThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ModerateThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('HighThreatDefaultAction')) { [object]$__cmdletization_value = ${HighThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'HighThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'HighThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SevereThreatDefaultAction')) { [object]$__cmdletization_value = ${SevereThreatDefaultAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SevereThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SevereThreatDefaultAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Force')) { [object]$__cmdletization_value = ${Force} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:operationOption:Force'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:operationOption:Force'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableBlockAtFirstSeen')) { [object]$__cmdletization_value = ${DisableBlockAtFirstSeen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBlockAtFirstSeen'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBlockAtFirstSeen'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParam ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88880 Keywords=None Message=Creating Scriptblock text (6 of 21): ue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RandomizeScheduleTaskTimes')) { [object]$__cmdletization_value = ${RandomizeScheduleTaskTimes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RandomizeScheduleTaskTimes'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RandomizeScheduleTaskTimes'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SchedulerRandomizationTime')) { [object]$__cmdletization_value = ${SchedulerRandomizationTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SchedulerRandomizationTime'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SchedulerRandomizationTime'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableBehaviorMonitoring')) { [object]$__cmdletization_value = ${DisableBehaviorMonitoring} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBehaviorMonitoring'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableBehaviorMonitoring'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableIntrusionPreventionSystem')) { [object]$__cmdletization_value = ${DisableIntrusionPreventionSystem} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIntrusionPreventionSystem'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIntrusionPreventionSystem'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableIOAVProtection')) { [object]$__cmdletization_value = ${DisableIOAVProtection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIOAVProtection'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableIOAVProtection'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRealtimeMonitoring')) { [object]$__cmdletization_value = ${DisableRealtimeMonitoring} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRealtimeMonitoring'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRealtimeMonitoring'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableScriptScanning')) { [object]$__cmdletization_value = ${DisableScriptScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScriptScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableScriptScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableArchiveScanning')) { [object]$__cmdletization_value = ${DisableArchiveScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableArchiveScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableArchiveScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableCatchupFullScan')) { [object]$__cmdletization_value = ${DisableCatchupFullScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupFullScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupFullScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableCatchupQuickScan')) { [object]$__cmdletization_value = ${DisableCatchupQuickScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupQuickScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCatchupQuickScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableEmailScanning')) { [object]$__cmdletization_value = ${DisableEmailScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableEmailScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableEmailScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRemovableDriveScanning')) { [object]$__cmdletization_value = ${DisableRemovableDriveScanning} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRemovableDriveScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRemovableDriveScanning'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableRestorePoint')) { [object]$__cmdletization_value = ${DisableRestorePoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRestorePoint'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableRestorePoint'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; Is ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88879 Keywords=None Message=Creating Scriptblock text (5 of 21): [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureScheduleTime')) { [object]$__cmdletization_value = ${SignatureScheduleTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureUpdateCatchupInterval')) { [object]$__cmdletization_value = ${SignatureUpdateCatchupInterval} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateCatchupInterval'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateCatchupInterval'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureUpdateInterval')) { [object]$__cmdletization_value = ${SignatureUpdateInterval} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateInterval'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureUpdateInterval'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureBlobUpdateInterval')) { [object]$__cmdletization_value = ${SignatureBlobUpdateInterval} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobUpdateInterval'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobUpdateInterval'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureBlobFileSharesSources')) { [object]$__cmdletization_value = ${SignatureBlobFileSharesSources} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobFileSharesSources'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureBlobFileSharesSources'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MeteredConnectionUpdates')) { [object]$__cmdletization_value = ${MeteredConnectionUpdates} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MeteredConnectionUpdates'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MeteredConnectionUpdates'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowNetworkProtectionOnWinServer')) { [object]$__cmdletization_value = ${AllowNetworkProtectionOnWinServer} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionOnWinServer'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowNetworkProtectionOnWinServer'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableDatagramProcessing')) { [object]$__cmdletization_value = ${DisableDatagramProcessing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDatagramProcessing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableDatagramProcessing'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableCpuThrottleOnIdleScans')) { [object]$__cmdletization_value = ${DisableCpuThrottleOnIdleScans} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCpuThrottleOnIdleScans'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableCpuThrottleOnIdleScans'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MAPSReporting')) { [object]$__cmdletization_value = ${MAPSReporting} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MAPSReporting'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.MAPSReportingType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MAPSReporting'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.MAPSReportingType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SubmitSamplesConsent')) { [object]$__cmdletization_value = ${SubmitSamplesConsent} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SubmitSamplesConsent'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SubmitSamplesConsent'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisableAutoExclusions')) { [object]$__cmdletization_value = ${DisableAutoExclusions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableAutoExclusions'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisableAutoExclusions'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisablePrivacyMode')) { [object]$__cmdletization_value = ${DisablePrivacyMode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisablePrivacyMode'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisablePrivacyMode'; ParameterType = 'System.Boolean'; Bindings = 'In'; Val ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88878 Keywords=None Message=Creating Scriptblock text (4 of 21): Name = 'ScanOnlyIfIdleEnabled'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanOnlyIfIdleEnabled'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanParameters')) { [object]$__cmdletization_value = ${ScanParameters} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanParameters'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ScanType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanParameters'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ScanType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanScheduleDay')) { [object]$__cmdletization_value = ${ScanScheduleDay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleDay'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleDay'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanScheduleQuickScanTime')) { [object]$__cmdletization_value = ${ScanScheduleQuickScanTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleQuickScanTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleQuickScanTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanScheduleTime')) { [object]$__cmdletization_value = ${ScanScheduleTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanScheduleTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ThrottleForScheduledScanOnly')) { [object]$__cmdletization_value = ${ThrottleForScheduledScanOnly} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThrottleForScheduledScanOnly'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ThrottleForScheduledScanOnly'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureFirstAuGracePeriod')) { [object]$__cmdletization_value = ${SignatureFirstAuGracePeriod} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFirstAuGracePeriod'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFirstAuGracePeriod'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureAuGracePeriod')) { [object]$__cmdletization_value = ${SignatureAuGracePeriod} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureAuGracePeriod'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureAuGracePeriod'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureDefinitionUpdateFileSharesSources')) { [object]$__cmdletization_value = ${SignatureDefinitionUpdateFileSharesSources} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDefinitionUpdateFileSharesSources'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDefinitionUpdateFileSharesSources'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureDisableUpdateOnStartupWithoutEngine')) { [object]$__cmdletization_value = ${SignatureDisableUpdateOnStartupWithoutEngine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDisableUpdateOnStartupWithoutEngine'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureDisableUpdateOnStartupWithoutEngine'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureFallbackOrder')) { [object]$__cmdletization_value = ${SignatureFallbackOrder} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFallbackOrder'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureFallbackOrder'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SharedSignaturesPath')) { [object]$__cmdletization_value = ${SharedSignaturesPath} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SharedSignaturesPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SharedSignaturesPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('SignatureScheduleDay')) { [object]$__cmdletization_value = ${SignatureScheduleDay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleDay'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'SignatureScheduleDay'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88877 Keywords=None Message=Creating Scriptblock text (3 of 21): werShell.Cmdletization.MethodParameter]@{Name = 'ExclusionExtension'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionProcess')) { [object]$__cmdletization_value = ${ExclusionProcess} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionProcess'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionProcess'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionIpAddress')) { [object]$__cmdletization_value = ${ExclusionIpAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionIpAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionIpAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RealTimeScanDirection')) { [object]$__cmdletization_value = ${RealTimeScanDirection} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RealTimeScanDirection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ScanDirection'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RealTimeScanDirection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ScanDirection'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuarantinePurgeItemsAfterDelay')) { [object]$__cmdletization_value = ${QuarantinePurgeItemsAfterDelay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuarantinePurgeItemsAfterDelay'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuarantinePurgeItemsAfterDelay'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemediationScheduleDay')) { [object]$__cmdletization_value = ${RemediationScheduleDay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleDay'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleDay'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemediationScheduleTime')) { [object]$__cmdletization_value = ${RemediationScheduleTime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemediationScheduleTime'; ParameterType = 'System.DateTime'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ReportingAdditionalActionTimeOut')) { [object]$__cmdletization_value = ${ReportingAdditionalActionTimeOut} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingAdditionalActionTimeOut'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingAdditionalActionTimeOut'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ReportingCriticalFailureTimeOut')) { [object]$__cmdletization_value = ${ReportingCriticalFailureTimeOut} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingCriticalFailureTimeOut'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingCriticalFailureTimeOut'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ReportingNonCriticalTimeOut')) { [object]$__cmdletization_value = ${ReportingNonCriticalTimeOut} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingNonCriticalTimeOut'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ReportingNonCriticalTimeOut'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanAvgCPULoadFactor')) { [object]$__cmdletization_value = ${ScanAvgCPULoadFactor} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanAvgCPULoadFactor'; ParameterType = 'System.Byte'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanAvgCPULoadFactor'; ParameterType = 'System.Byte'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CheckForSignaturesBeforeRunningScan')) { [object]$__cmdletization_value = ${CheckForSignaturesBeforeRunningScan} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CheckForSignaturesBeforeRunningScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CheckForSignaturesBeforeRunningScan'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanPurgeItemsAfterDelay')) { [object]$__cmdletization_value = ${ScanPurgeItemsAfterDelay} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanPurgeItemsAfterDelay'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ScanPurgeItemsAfterDelay'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ScanOnlyIfIdleEnabled')) { [object]$__cmdletization_value = ${ScanOnlyIfIdleEnabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88876 Keywords=None Message=Creating Scriptblock text (2 of 21): ningNetworkFiles}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${UILockdown}, [Parameter(ParameterSetName='Set0')] [Alias('tiddefaci')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [long[]] ${ThreatIDDefaultAction_Ids}, [Parameter(ParameterSetName='Set0')] [Alias('tiddefaca')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction[]] ${ThreatIDDefaultAction_Actions}, [Parameter(ParameterSetName='Set0')] [Alias('unktdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction] ${UnknownThreatDefaultAction}, [Parameter(ParameterSetName='Set0')] [Alias('ltdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction] ${LowThreatDefaultAction}, [Parameter(ParameterSetName='Set0')] [Alias('mtdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction] ${ModerateThreatDefaultAction}, [Parameter(ParameterSetName='Set0')] [Alias('htdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction] ${HighThreatDefaultAction}, [Parameter(ParameterSetName='Set0')] [Alias('stdefac')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ThreatAction] ${SevereThreatDefaultAction}, [Parameter(ParameterSetName='Set0')] [switch] ${Force}, [Parameter(ParameterSetName='Set0')] [Alias('dbaf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableBlockAtFirstSeen}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Disabled','Enabled','AuditMode')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType] ${PUAProtection}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Default','Moderate','High','HighPlus','ZeroTolerance')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.CloudBlockLevelType] ${CloudBlockLevel}, [Parameter(ParameterSetName='Set0')] [Alias('cloudextimeout')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${CloudExtendedTimeout}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Disabled','Enabled','AuditMode')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType] ${EnableNetworkProtection}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Disabled','Enabled','AuditMode','BlockDiskModificationOnly','AuditDiskModificationOnly')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ControlledFolderAccessType] ${EnableControlledFolderAccess}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${AttackSurfaceReductionOnlyExclusions}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ControlledFolderAccessAllowedApplications}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ControlledFolderAccessProtectedFolders}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${AttackSurfaceReductionRules_Ids}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ASRRuleActionType[]] ${AttackSurfaceReductionRules_Actions}, [Parameter(ParameterSetName='Set0')] [Alias('elcp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${EnableLowCpuPriority}, [Parameter(ParameterSetName='Set0')] [Alias('efhc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${EnableFileHashComputation}, [Parameter(ParameterSetName='Set0')] [Alias('efsobp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${EnableFullScanOnBatteryPower}, [Parameter(ParameterSetName='Set0')] [Alias('ppurl')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${ProxyPacUrl}, [Parameter(ParameterSetName='Set0')] [Alias('proxsrv')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${ProxyServer}, [Parameter(ParameterSetName='Set0')] [Alias('proxbps')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ProxyBypass}, [Parameter(ParameterSetName='Set0')] [Alias('fupo')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${ForceUseProxyOnly}, [Parameter(ParameterSetName='Set0')] [Alias('dtlsp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableTlsParsing}, [Parameter(ParameterSetName='Set0')] [Alias('dhttpp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableHttpParsing}, [Parameter(ParameterSetName='Set0')] [Alias('ddnsp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableDnsParsing}, [Parameter(ParameterSetName='Set0')] [Alias('ddnstcpp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableDnsOverTcpParsing}, [Parameter(ParameterSetName='Set0')] [Alias('dsshp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableSshParsing}, [Parameter(ParameterSetName='Set0')] [Alias('puc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('NotConfigured','Beta','Preview','Staged','Broad','Delayed')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType] ${PlatformUpdatesChannel}, [Parameter(ParameterSetName='Set0')] [Alias('euc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('NotConfigured','Beta','Preview','Staged','Broad','Delayed')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType] ${EngineUpdatesChannel}, [Parameter(ParameterSetName='Set0')] [Alias('duc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('NotConfigured','Staged','Broad','Delayed')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType] ${DefinitionUpdatesChannel}, [Parameter(ParameterSetName='Set0')] [Alias('dgr')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableGradualRelease}, [Parameter(ParameterSetName='Set0')] [Alias('anpdl')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${AllowNetworkProtectionDownLevel}, [Parameter(ParameterSetName='Set0')] [Alias('adpows')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${AllowDatagramProcessingOnWinServer}, [Parameter(ParameterSetName='Set0')] [Alias('ednss')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${EnableDnsSinkhole}, [Parameter(ParameterSetName='Set0')] [Alias('dicf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableInboundConnectionFiltering}, [Parameter(ParameterSetName='Set0')] [Alias('drdpp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableRdpParsing}, [Parameter(ParameterSetName='Set0')] [Alias('dnppt')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableNetworkProtectionPerfTelemetry}, [Parameter(ParameterSetName='Set0')] [Alias('tlps')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${TrustLabelProtectionStatus}, [Parameter(ParameterSetName='Set0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Set0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Set0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionPath')) { [object]$__cmdletization_value = ${ExclusionPath} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionPath'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionPath'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ExclusionExtension')) { [object]$__cmdletization_value = ${ExclusionExtension} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ExclusionExtension'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.Po ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88875 Keywords=None Message=Creating Scriptblock text (1 of 21): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root\Microsoft\Windows\Defender\MSFT_MpPreference' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Set-MpPreference { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionPath}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionExtension}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionProcess}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${ExclusionIpAddress}, [Parameter(ParameterSetName='Set0')] [Alias('rtsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Both','Incoming','Outcoming')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ScanDirection] ${RealTimeScanDirection}, [Parameter(ParameterSetName='Set0')] [Alias('qpiad')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${QuarantinePurgeItemsAfterDelay}, [Parameter(ParameterSetName='Set0')] [Alias('rsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Everyday','Sunday','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday','Never')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day] ${RemediationScheduleDay}, [Parameter(ParameterSetName='Set0')] [Alias('rst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [datetime] ${RemediationScheduleTime}, [Parameter(ParameterSetName='Set0')] [Alias('raat')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${ReportingAdditionalActionTimeOut}, [Parameter(ParameterSetName='Set0')] [Alias('rcto')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${ReportingCriticalFailureTimeOut}, [Parameter(ParameterSetName='Set0')] [Alias('rncto')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${ReportingNonCriticalTimeOut}, [Parameter(ParameterSetName='Set0')] [Alias('saclf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [byte] ${ScanAvgCPULoadFactor}, [Parameter(ParameterSetName='Set0')] [Alias('csbr')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${CheckForSignaturesBeforeRunningScan}, [Parameter(ParameterSetName='Set0')] [Alias('spiad')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${ScanPurgeItemsAfterDelay}, [Parameter(ParameterSetName='Set0')] [Alias('soiie')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${ScanOnlyIfIdleEnabled}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('QuickScan','FullScan')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.ScanType] ${ScanParameters}, [Parameter(ParameterSetName='Set0')] [Alias('scsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Everyday','Sunday','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday','Never')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day] ${ScanScheduleDay}, [Parameter(ParameterSetName='Set0')] [Alias('scsqst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [datetime] ${ScanScheduleQuickScanTime}, [Parameter(ParameterSetName='Set0')] [Alias('scst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [datetime] ${ScanScheduleTime}, [Parameter(ParameterSetName='Set0')] [Alias('tfsso')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${ThrottleForScheduledScanOnly}, [Parameter(ParameterSetName='Set0')] [Alias('sigfagp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${SignatureFirstAuGracePeriod}, [Parameter(ParameterSetName='Set0')] [Alias('sigagp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${SignatureAuGracePeriod}, [Parameter(ParameterSetName='Set0')] [Alias('sigdufss')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${SignatureDefinitionUpdateFileSharesSources}, [Parameter(ParameterSetName='Set0')] [Alias('sigduoswo')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${SignatureDisableUpdateOnStartupWithoutEngine}, [Parameter(ParameterSetName='Set0')] [Alias('sfo')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${SignatureFallbackOrder}, [Parameter(ParameterSetName='Set0')] [Alias('ssp','SecurityIntelligenceLocation','ssl')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${SharedSignaturesPath}, [Parameter(ParameterSetName='Set0')] [Alias('sigsd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Everyday','Sunday','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday','Never')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.Day] ${SignatureScheduleDay}, [Parameter(ParameterSetName='Set0')] [Alias('sigst')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [datetime] ${SignatureScheduleTime}, [Parameter(ParameterSetName='Set0')] [Alias('siguci')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${SignatureUpdateCatchupInterval}, [Parameter(ParameterSetName='Set0')] [Alias('sigui')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${SignatureUpdateInterval}, [Parameter(ParameterSetName='Set0')] [Alias('sigbui')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${SignatureBlobUpdateInterval}, [Parameter(ParameterSetName='Set0')] [Alias('sigbfs')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string] ${SignatureBlobFileSharesSources}, [Parameter(ParameterSetName='Set0')] [Alias('mcupd')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${MeteredConnectionUpdates}, [Parameter(ParameterSetName='Set0')] [Alias('anpws')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${AllowNetworkProtectionOnWinServer}, [Parameter(ParameterSetName='Set0')] [Alias('ddtgp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableDatagramProcessing}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableCpuThrottleOnIdleScans}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('Disabled','Basic','Advanced')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.MAPSReportingType] ${MAPSReporting}, [Parameter(ParameterSetName='Set0')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [ValidateSet('AlwaysPrompt','SendSafeSamples','NeverSend','SendAllSamples')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType] ${SubmitSamplesConsent}, [Parameter(ParameterSetName='Set0')] [Alias('dae')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableAutoExclusions}, [Parameter(ParameterSetName='Set0')] [Alias('dpm')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisablePrivacyMode}, [Parameter(ParameterSetName='Set0')] [Alias('rstt')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${RandomizeScheduleTaskTimes}, [Parameter(ParameterSetName='Set0')] [Alias('srt')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [uint32] ${SchedulerRandomizationTime}, [Parameter(ParameterSetName='Set0')] [Alias('dbm')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableBehaviorMonitoring}, [Parameter(ParameterSetName='Set0')] [Alias('dips')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableIntrusionPreventionSystem}, [Parameter(ParameterSetName='Set0')] [Alias('dioavp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableIOAVProtection}, [Parameter(ParameterSetName='Set0')] [Alias('drtm')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableRealtimeMonitoring}, [Parameter(ParameterSetName='Set0')] [Alias('dscrptsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableScriptScanning}, [Parameter(ParameterSetName='Set0')] [Alias('darchsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableArchiveScanning}, [Parameter(ParameterSetName='Set0')] [Alias('dcfsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableCatchupFullScan}, [Parameter(ParameterSetName='Set0')] [Alias('dcqsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableCatchupQuickScan}, [Parameter(ParameterSetName='Set0')] [Alias('demsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableEmailScanning}, [Parameter(ParameterSetName='Set0')] [Alias('drdsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableRemovableDriveScanning}, [Parameter(ParameterSetName='Set0')] [Alias('drp')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableRestorePoint}, [Parameter(ParameterSetName='Set0')] [Alias('dsmndfsc')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableScanningMappedNetworkDrivesForFullScan}, [Parameter(ParameterSetName='Set0')] [Alias('dsnf')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [bool] ${DisableScan ScriptBlock ID: 2ecfc54c-eda8-4766-9de3-cf7889ca9a0e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88874 Keywords=None Message=Completed invocation of ScriptBlock ID: 18c16f1d-04b2-4cbd-9d47-835c05612071 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88873 Keywords=None Message=Started invocation of ScriptBlock ID: 18c16f1d-04b2-4cbd-9d47-835c05612071 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88872 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus' $script:ClassVersion = '' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-MpComputerStatus { [CmdletBinding(DefaultParameterSetName='DefaultSet', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus')] param( [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [int] ${ThrottleLimit}, [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpComputerStatus.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-MpComputerStatus' -Alias '*' ScriptBlock ID: 18c16f1d-04b2-4cbd-9d47-835c05612071 Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88871 Keywords=None Message=Completed invocation of ScriptBlock ID: 62498cf5-5c8d-4034-a323-df6c50ebfdd3 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88870 Keywords=None Message=Started invocation of ScriptBlock ID: 62498cf5-5c8d-4034-a323-df6c50ebfdd3 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88869 Keywords=None Message=Started invocation of ScriptBlock ID: 3c1cf0de-e9c6-4c45-a8f8-092bcfd12c25 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88868 Keywords=None Message=Creating Scriptblock text (1 of 1): Add-MpPreference -ExclusionPath C:\Temp -Force Add-MpPreference -ExclusionProcess C:\Temp\evil.msi -Force Add-MpPreference -ExclusionExtension ".exe" -Force Set-MpPreference -ExclusionPath "C:\" -Force ScriptBlock ID: 3c1cf0de-e9c6-4c45-a8f8-092bcfd12c25 Path: C:\Temp\1.ps1 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88867 Keywords=None Message=Started invocation of ScriptBlock ID: 2f0d7788-de3c-44e1-b312-06fe8bf82d6e Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88866 Keywords=None Message=Creating Scriptblock text (1 of 1): .\1.ps1 ScriptBlock ID: 2f0d7788-de3c-44e1-b312-06fe8bf82d6e Path: 11/25/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88865 Keywords=None Message=Completed invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88996 Keywords=None Message=Started invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88995 Keywords=None Message=Completed invocation of ScriptBlock ID: 5b330245-4d95-4116-8d06-f5b6de5f2106 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88994 Keywords=None Message=Completed invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88993 Keywords=None Message=Started invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88992 Keywords=None Message=Started invocation of ScriptBlock ID: 5b330245-4d95-4116-8d06-f5b6de5f2106 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88991 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 5b330245-4d95-4116-8d06-f5b6de5f2106 Path: 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88990 Keywords=None Message=Completed invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88989 Keywords=None Message=Started invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88988 Keywords=None Message=Completed invocation of ScriptBlock ID: 2f0d7788-de3c-44e1-b312-06fe8bf82d6e Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88987 Keywords=None Message=Completed invocation of ScriptBlock ID: 3c1cf0de-e9c6-4c45-a8f8-092bcfd12c25 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88986 Keywords=None Message=Completed invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88985 Keywords=None Message=Completed invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88984 Keywords=None Message=Started invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88983 Keywords=None Message=Completed invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88982 Keywords=None Message=Started invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88981 Keywords=None Message=Completed invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88980 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88979 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88978 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88977 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88976 Keywords=None Message=Started invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88975 Keywords=None Message=Started invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88974 Keywords=None Message=Completed invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88973 Keywords=None Message=Started invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88972 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88971 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88970 Keywords=None Message=Completed invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88969 Keywords=None Message=Completed invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88968 Keywords=None Message=Started invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88967 Keywords=None Message=Completed invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88966 Keywords=None Message=Started invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88965 Keywords=None Message=Completed invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88964 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88963 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88962 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88961 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88960 Keywords=None Message=Started invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88959 Keywords=None Message=Started invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88958 Keywords=None Message=Completed invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88957 Keywords=None Message=Started invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88956 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88955 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88954 Keywords=None Message=Completed invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88953 Keywords=None Message=Completed invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88952 Keywords=None Message=Started invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88951 Keywords=None Message=Completed invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88950 Keywords=None Message=Started invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88949 Keywords=None Message=Completed invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88948 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88947 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88946 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88945 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88944 Keywords=None Message=Started invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88943 Keywords=None Message=Started invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88942 Keywords=None Message=Completed invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88941 Keywords=None Message=Started invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88940 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88939 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88938 Keywords=None Message=Completed invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88937 Keywords=None Message=Completed invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88936 Keywords=None Message=Started invocation of ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88935 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.OriginInfo } ScriptBlock ID: a71df4c3-5884-45f8-8cc4-78a87313e5ae Path: 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88934 Keywords=None Message=Completed invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88933 Keywords=None Message=Started invocation of ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88932 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.ErrorCategory_Message } ScriptBlock ID: 29b881dc-2321-4086-b3c8-bb2c48984df2 Path: 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88931 Keywords=None Message=Completed invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88930 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88929 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88928 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88927 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails } ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Path: 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88926 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88925 Keywords=None Message=Started invocation of ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88924 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.PSMessageDetails } ScriptBlock ID: debc1ee1-a485-4a4d-994e-0bf6c3165bd4 Path: 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88923 Keywords=None Message=Started invocation of ScriptBlock ID: b95fa6cf-8589-4734-81d5-55ae3cac10ee Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88922 Keywords=None Message=Completed invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88921 Keywords=None Message=Started invocation of ScriptBlock ID: 0fa95bc0-b736-4d06-b6e4-0ec181be0a2a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88920 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88919 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88918 Keywords=None Message=Creating Scriptblock text (1 of 1): function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Path: 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88917 Keywords=None Message=Completed invocation of ScriptBlock ID: 7e152d36-b964-4f62-8f69-f2ce0c4c94b1 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88916 Keywords=None Message=Started invocation of ScriptBlock ID: 7e152d36-b964-4f62-8f69-f2ce0c4c94b1 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88915 Keywords=None Message=Completed invocation of ScriptBlock ID: f19750a6-53d2-46be-a50b-fe5af7a9c94c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88914 Keywords=None Message=Started invocation of ScriptBlock ID: f19750a6-53d2-46be-a50b-fe5af7a9c94c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88913 Keywords=None Message=Creating Scriptblock text (1 of 1): #requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'ROOT\Microsoft\Windows\Defender\MSFT_MpWDOScan' $script:ClassVersion = '1.0' $script:ModuleVersion = '1.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Start-MpWDOScan { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Start0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Start0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Start0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Start', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP MSFT_MpWDOScan.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Start-MpWDOScan' -Alias '*' ScriptBlock ID: f19750a6-53d2-46be-a50b-fe5af7a9c94c Path: 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89027 Keywords=None Message=Started invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89026 Keywords=None Message=Completed invocation of ScriptBlock ID: 01a85a00-c618-4bfc-b4db-1b5e5ae0645a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89025 Keywords=None Message=Completed invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89024 Keywords=None Message=Started invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89023 Keywords=None Message=Started invocation of ScriptBlock ID: 01a85a00-c618-4bfc-b4db-1b5e5ae0645a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89022 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 01a85a00-c618-4bfc-b4db-1b5e5ae0645a Path: 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89021 Keywords=None Message=Completed invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89020 Keywords=None Message=Started invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89019 Keywords=None Message=Completed invocation of ScriptBlock ID: 097849a4-7386-464d-aa9c-802f5bc2e89a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89018 Keywords=None Message=Completed invocation of ScriptBlock ID: 48e041ea-504e-4f37-8ac3-e51076971593 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89017 Keywords=None Message=Completed invocation of ScriptBlock ID: 46d52d12-522b-4fa3-a846-73e7d7105269 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89016 Keywords=None Message=Started invocation of ScriptBlock ID: 46d52d12-522b-4fa3-a846-73e7d7105269 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89015 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.OriginInfo } ScriptBlock ID: 46d52d12-522b-4fa3-a846-73e7d7105269 Path: 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89014 Keywords=None Message=Completed invocation of ScriptBlock ID: 89e3652a-9f29-4463-9fb0-19e14b4c8b9c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89013 Keywords=None Message=Started invocation of ScriptBlock ID: 89e3652a-9f29-4463-9fb0-19e14b4c8b9c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89012 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.ErrorCategory_Message } ScriptBlock ID: 89e3652a-9f29-4463-9fb0-19e14b4c8b9c Path: 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89011 Keywords=None Message=Completed invocation of ScriptBlock ID: c500920a-5869-40d9-8b68-fee29621d958 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89010 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89009 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89008 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89007 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89006 Keywords=None Message=Started invocation of ScriptBlock ID: c500920a-5869-40d9-8b68-fee29621d958 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89005 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.PSMessageDetails } ScriptBlock ID: c500920a-5869-40d9-8b68-fee29621d958 Path: 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89004 Keywords=None Message=Started invocation of ScriptBlock ID: 48e041ea-504e-4f37-8ac3-e51076971593 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89003 Keywords=None Message=Completed invocation of ScriptBlock ID: 7bc2a56b-61e1-4ba4-b524-6ba2cbeaacc0 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89002 Keywords=None Message=Started invocation of ScriptBlock ID: 7bc2a56b-61e1-4ba4-b524-6ba2cbeaacc0 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89001 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89000 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=88999 Keywords=None Message=Started invocation of ScriptBlock ID: 097849a4-7386-464d-aa9c-802f5bc2e89a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=88998 Keywords=None Message=Creating Scriptblock text (1 of 1): Add-MpPreference -ExclusionPath C:\Temp -Force ScriptBlock ID: 097849a4-7386-464d-aa9c-802f5bc2e89a Path: 11/25/2021 10:02:28 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=88997 Keywords=None Message=Completed invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89056 Keywords=None Message=Started invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89055 Keywords=None Message=Completed invocation of ScriptBlock ID: 8176718d-c5c1-462d-9f0c-3a4c93934fdc Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89054 Keywords=None Message=Completed invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89053 Keywords=None Message=Started invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89052 Keywords=None Message=Started invocation of ScriptBlock ID: 8176718d-c5c1-462d-9f0c-3a4c93934fdc Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89051 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 8176718d-c5c1-462d-9f0c-3a4c93934fdc Path: 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89050 Keywords=None Message=Completed invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89049 Keywords=None Message=Started invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89048 Keywords=None Message=Completed invocation of ScriptBlock ID: 6e743ce8-bd3e-40e3-bba0-e7481b8aedcb Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89047 Keywords=None Message=Completed invocation of ScriptBlock ID: 7323ddf3-0b1b-4348-b181-947a3ebcb83f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89046 Keywords=None Message=Completed invocation of ScriptBlock ID: 4d90276f-76ac-4513-97bf-b55816c9739a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89045 Keywords=None Message=Started invocation of ScriptBlock ID: 4d90276f-76ac-4513-97bf-b55816c9739a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89044 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.OriginInfo } ScriptBlock ID: 4d90276f-76ac-4513-97bf-b55816c9739a Path: 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89043 Keywords=None Message=Completed invocation of ScriptBlock ID: 183ebb43-5ced-42f0-ab0e-f684de2a5d34 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89042 Keywords=None Message=Started invocation of ScriptBlock ID: 183ebb43-5ced-42f0-ab0e-f684de2a5d34 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89041 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.ErrorCategory_Message } ScriptBlock ID: 183ebb43-5ced-42f0-ab0e-f684de2a5d34 Path: 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89040 Keywords=None Message=Completed invocation of ScriptBlock ID: 19462c0c-d571-49ab-8d24-44b346a15231 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89039 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89038 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89037 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89036 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89035 Keywords=None Message=Started invocation of ScriptBlock ID: 19462c0c-d571-49ab-8d24-44b346a15231 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89034 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.PSMessageDetails } ScriptBlock ID: 19462c0c-d571-49ab-8d24-44b346a15231 Path: 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89033 Keywords=None Message=Started invocation of ScriptBlock ID: 7323ddf3-0b1b-4348-b181-947a3ebcb83f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89032 Keywords=None Message=Completed invocation of ScriptBlock ID: 1514f753-6380-4349-8505-ba503599e66d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89031 Keywords=None Message=Started invocation of ScriptBlock ID: 1514f753-6380-4349-8505-ba503599e66d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89030 Keywords=None Message=Started invocation of ScriptBlock ID: 6e743ce8-bd3e-40e3-bba0-e7481b8aedcb Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89029 Keywords=None Message=Creating Scriptblock text (1 of 1): Add-MpPreference -ExclusionPath ScriptBlock ID: 6e743ce8-bd3e-40e3-bba0-e7481b8aedcb Path: 11/25/2021 10:02:33 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89028 Keywords=None Message=Completed invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89087 Keywords=None Message=Started invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89086 Keywords=None Message=Completed invocation of ScriptBlock ID: 0587e9f1-c51f-46d2-b43a-2667c6dfc878 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89085 Keywords=None Message=Completed invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89084 Keywords=None Message=Started invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89083 Keywords=None Message=Started invocation of ScriptBlock ID: 0587e9f1-c51f-46d2-b43a-2667c6dfc878 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89082 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 0587e9f1-c51f-46d2-b43a-2667c6dfc878 Path: 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89081 Keywords=None Message=Completed invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89080 Keywords=None Message=Started invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89079 Keywords=None Message=Completed invocation of ScriptBlock ID: ec1e3e41-7b60-472b-aa6e-cddeb81e9619 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89078 Keywords=None Message=Completed invocation of ScriptBlock ID: d3d710f8-fa6c-4973-a5e2-b35fc9ed42f3 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89077 Keywords=None Message=Completed invocation of ScriptBlock ID: baac35df-d8a3-4cac-8618-11974fd1066d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89076 Keywords=None Message=Started invocation of ScriptBlock ID: baac35df-d8a3-4cac-8618-11974fd1066d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89075 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.OriginInfo } ScriptBlock ID: baac35df-d8a3-4cac-8618-11974fd1066d Path: 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89074 Keywords=None Message=Completed invocation of ScriptBlock ID: b1f9602e-3f39-4aba-8000-84209394c5d8 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89073 Keywords=None Message=Started invocation of ScriptBlock ID: b1f9602e-3f39-4aba-8000-84209394c5d8 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89072 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.ErrorCategory_Message } ScriptBlock ID: b1f9602e-3f39-4aba-8000-84209394c5d8 Path: 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89071 Keywords=None Message=Completed invocation of ScriptBlock ID: 9e4b3634-e656-4e54-8395-7e99aae7c73c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89070 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89069 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89068 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89067 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89066 Keywords=None Message=Started invocation of ScriptBlock ID: 9e4b3634-e656-4e54-8395-7e99aae7c73c Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89065 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.PSMessageDetails } ScriptBlock ID: 9e4b3634-e656-4e54-8395-7e99aae7c73c Path: 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89064 Keywords=None Message=Started invocation of ScriptBlock ID: d3d710f8-fa6c-4973-a5e2-b35fc9ed42f3 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89063 Keywords=None Message=Completed invocation of ScriptBlock ID: b38cd15b-2eab-49bc-9b45-aaeb87da4a8d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89062 Keywords=None Message=Started invocation of ScriptBlock ID: b38cd15b-2eab-49bc-9b45-aaeb87da4a8d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89061 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89060 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89059 Keywords=None Message=Started invocation of ScriptBlock ID: ec1e3e41-7b60-472b-aa6e-cddeb81e9619 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89058 Keywords=None Message=Creating Scriptblock text (1 of 1): Add-MpPreference -ExclusionPath C:\Temp ScriptBlock ID: ec1e3e41-7b60-472b-aa6e-cddeb81e9619 Path: 11/25/2021 10:02:42 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89057 Keywords=None Message=Completed invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89109 Keywords=None Message=Completed invocation of ScriptBlock ID: 548c60bb-5506-4ddf-81a1-8e2a5bd6ee30 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89108 Keywords=None Message=Completed invocation of ScriptBlock ID: eeaf5281-cfe7-4d5b-86a2-8d8c586c1f8d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89107 Keywords=None Message=Started invocation of ScriptBlock ID: eeaf5281-cfe7-4d5b-86a2-8d8c586c1f8d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89106 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.OriginInfo } ScriptBlock ID: eeaf5281-cfe7-4d5b-86a2-8d8c586c1f8d Path: 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89105 Keywords=None Message=Completed invocation of ScriptBlock ID: e4fb6886-7794-448d-a610-532ddb213387 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89104 Keywords=None Message=Started invocation of ScriptBlock ID: e4fb6886-7794-448d-a610-532ddb213387 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89103 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.ErrorCategory_Message } ScriptBlock ID: e4fb6886-7794-448d-a610-532ddb213387 Path: 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89102 Keywords=None Message=Completed invocation of ScriptBlock ID: b0565502-841e-4cb6-a084-3d62045371dd Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89101 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89100 Keywords=None Message=Completed invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89099 Keywords=None Message=Started invocation of ScriptBlock ID: ed25802b-dfbd-4f00-9ffa-a5be94f90b0d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89098 Keywords=None Message=Started invocation of ScriptBlock ID: 9d6169fb-1742-43be-a01d-088ac54c8f24 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89097 Keywords=None Message=Started invocation of ScriptBlock ID: b0565502-841e-4cb6-a084-3d62045371dd Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89096 Keywords=None Message=Creating Scriptblock text (1 of 1): { Set-StrictMode -Version 1; $_.PSMessageDetails } ScriptBlock ID: b0565502-841e-4cb6-a084-3d62045371dd Path: 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89095 Keywords=None Message=Started invocation of ScriptBlock ID: 548c60bb-5506-4ddf-81a1-8e2a5bd6ee30 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89094 Keywords=None Message=Completed invocation of ScriptBlock ID: d136036b-7e54-4972-ae8e-d5a42a18c0f8 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89093 Keywords=None Message=Started invocation of ScriptBlock ID: d136036b-7e54-4972-ae8e-d5a42a18c0f8 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89092 Keywords=None Message=Completed invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89091 Keywords=None Message=Started invocation of ScriptBlock ID: 9d378304-8fff-4a43-b010-5f8a063b057f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89090 Keywords=None Message=Started invocation of ScriptBlock ID: aeff2b20-a53f-4e8c-ad45-69fdd2ba098f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89089 Keywords=None Message=Creating Scriptblock text (1 of 1): Add-MpPreference -ExclusionPath C:\Temp ScriptBlock ID: aeff2b20-a53f-4e8c-ad45-69fdd2ba098f Path: 11/25/2021 10:03:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89088 Keywords=None Message=Completed invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89118 Keywords=None Message=Started invocation of ScriptBlock ID: 2d37c3e4-d07c-40c4-8364-8419b0b99809 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89117 Keywords=None Message=Completed invocation of ScriptBlock ID: 88e2f1c2-0273-460e-b87e-af4d16ca6f0a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89116 Keywords=None Message=Completed invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89115 Keywords=None Message=Started invocation of ScriptBlock ID: c842dcf0-e3e9-4b27-a5b4-d19749f6a53d Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89114 Keywords=None Message=Started invocation of ScriptBlock ID: 88e2f1c2-0273-460e-b87e-af4d16ca6f0a Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=89113 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 88e2f1c2-0273-460e-b87e-af4d16ca6f0a Path: 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89112 Keywords=None Message=Completed invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=89111 Keywords=None Message=Started invocation of ScriptBlock ID: 20b8e845-f605-4a3d-8761-b80e4c44f601 Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b 11/25/2021 10:03:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-266.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3499523948-2023901041-105020508-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=89110 Keywords=None Message=Completed invocation of ScriptBlock ID: aeff2b20-a53f-4e8c-ad45-69fdd2ba098f Runspace ID: 17da6489-262c-44a8-8ea5-7379e8ac753b