06/14/2021 09:12:11 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=75760 Keywords=None Message=PowerShell console is starting up 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=75849 Keywords=None Message=Completed invocation of ScriptBlock ID: ed4c24c2-4b19-411e-bcaa-e16849bb0a74 Runspace ID: 776da8c2-351e-4da2-b389-86953f603fe6 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=75848 Keywords=None Message=Started invocation of ScriptBlock ID: ed4c24c2-4b19-411e-bcaa-e16849bb0a74 Runspace ID: 776da8c2-351e-4da2-b389-86953f603fe6 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=75847 Keywords=None Message=Creating Scriptblock text (1 of 1): # Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Amazon Software License (the "License"). # You may not use this file except in compliance with the License. # A copy of the License is located at # # http://aws.amazon.com/asl/ # # or in the "license" file accompanying this file. This file is distributed # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either # express or implied. See the License for the specific language governing # permissions and limitations under the License. <#----------------------------------------------------------------------------------------------------------- Invoke-WithTimeout will invoke a function as a sub process and wait for it to complete. -------------------------------------------------------------------------------------------------------------#> function Invoke-WithTimeout { param ( [Parameter(Mandatory=$true, Position=0)] [string] $ScriptName, [Parameter(Mandatory=$true, Position=1)] [ScriptBlock] $ScriptBlock, [Parameter(Mandatory=$true, Position=2)] [Object[]] $ArgumentList, [Parameter(Mandatory=$true, Position=3)] [int] $SleepSeconds, [Parameter(Mandatory=$true, Position=4)] [int] $TimeoutSeconds ) try { $start = (Get-Date).Second $completed = $false # Start job in the background so we can monitor it $job = Start-Job -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList do { if ($job.JobStateInfo.State -ne "Running") { # Job exited, quit polling it $completed = $true } else { # Job still running, sleep Write-Log ("Job '{0}' Still In Running State, Sleeping For '{1}' Seconds" -f $ScriptName, $SleepSeconds) Start-Sleep -Seconds $SleepSeconds } } while ((((Get-Date).Second - $start) -le $TimeoutSeconds) -and (-not $completed)) if ($completed) { # Will log out the end state of the job, as well as the output from the closure Write-Log ("Job '{0}' Finished With Status '{1}': '{2}'" -f $ScriptName, $job.JobStateInfo.State, ($job | Receive-Job)) } else { # Job didn't complete in the given time, kill the sub job (if it was a service that failed to start, the service will not be killed by doing this) Write-Log ("Job '{0}' Failed To Finish Within '{1}' Seconds" -f $ScriptName, $TimeoutSeconds) $job.StopJob() } } catch { Write-Log ("Unable To Execute Job '{0}': '{1}'" -f $ScriptName, $_.Exception.Message) } } # SIG # Begin signature block # MIIcvAYJKoZIhvcNAQcCoIIcrTCCHKkCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBRGIQMX23VoAYS # G3jx3rUa+gKHFzYOCq3od5KplXA0PqCCDJ8wggXbMIIEw6ADAgECAhALhtAE1iqy # 3BEl7IX117EeMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNV # BAMTIkRpZ2lDZXJ0IEVWIENvZGUgU2lnbmluZyBDQSAoU0hBMikwHhcNMjEwNDEz # MDAwMDAwWhcNMjIwNDE4MjM1OTU5WjCB8jEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdh # bml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMI # RGVsYXdhcmUxEDAOBgNVBAUTBzQxNTI5NTQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMSIwIAYDVQQKExlBbWF6b24g # V2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLEwpBbWF6b24gRUMyMSIwIAYDVQQD # ExlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMIIBIjANBgkqhkiG9w0BAQEFAAOC # AQ8AMIIBCgKCAQEAyc04nmrj0mFs+J19mqr0o6yal0uNsXc7Z4vQslqbHTBJ7Xzf # Qli6jQSOk6OzD3MrFbpT5eWM+0YqbSHHZNVdmGEko4LR4WJLmPmsGqwO754/zeXT # KIlas66c4cRw6igGPeDRDkNUMRFfvnmbM/HZZIwR0HeLtRDOZddDDdydvLo6rcGW # nRLG15NeKWPemWs2jHvWBcNuSV2/8TlEuujgznt/U3p1x6xenzlGTedx6JBA0GPa # l9YF2ijvPpVowaljpCLun4agFHTMnzq+tWGocvgF80N78E20wl16i3Ls7hbnwjcn # crjpQiBgYWvWrU+xpeT/8fPs6id03o4Ggadh7QIDAQABo4IB8DCCAewwHwYDVR0j # BBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFNOsLmIr6HnXlCro # QE13eT9iOwKbMC4GA1UdEQQnMCWgIwYIKwYBBQUHCAOgFzAVDBNVUy1ERUxBV0FS # RS00MTUyOTU0MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB7 # BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRVZDb2Rl # U2lnbmluZ1NIQTItZzEuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5j # b20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMEoGA1UdIARDMEEwNgYJYIZIAYb9 # bAMCMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAH # BgVngQwBAzB+BggrBgEFBQcBAQRyMHAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw # LmRpZ2ljZXJ0LmNvbTBIBggrBgEFBQcwAoY8aHR0cDovL2NhY2VydHMuZGlnaWNl # cnQuY29tL0RpZ2lDZXJ0RVZDb2RlU2lnbmluZ0NBLVNIQTIuY3J0MAwGA1UdEwEB # /wQCMAAwDQYJKoZIhvcNAQELBQADggEBAJIKG4PvG2fKZaJxKzF+Buzkm/vCffHd # doEOHwxP5dxg0ITPpqo1oZ3mEgNOG5sA+x5h8l1D/hrmOXwjKKpP7l3aPPjzD64j # Dv4mVENm6wr4t5fG5GWFNBzmY3JBSJqGAIJ0aPKs0Sd4TqAW2BGc7nRqH67/mJvE # X6Piw2M6/Wa6WhrpCxjyBhB4FcX5UsVWuXz7iIg6TsGkOQaNOCpr9nF3daepI11l # uZE5KfVOi+IRGe362zNllomxdpoRbk+ApxBY/40hB7Qx7eBi7c7jkd6kr5KcuATv # JfX4UWFLaXs+1dbqclGWeJa8CZQJxmshSY3rhQLCBthCFHGITP3NSb8wgga8MIIF # pKADAgECAhAD8bThXzqC8RSWeLPX2EdcMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV # BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp # Y2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIEVWIFJv # b3QgQ0EwHhcNMTIwNDE4MTIwMDAwWhcNMjcwNDE4MTIwMDAwWjBsMQswCQYDVQQG # EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl # cnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25pbmcgQ0EgKFNI # QTIpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp1P6D7K1E/Fkz4SA # /K6ANdG218ejLKwaLKzxhKw6NRI6kpG6V+TEyfMvqEg8t9Zu3JciulF5Ya9DLw23 # m7RJMa5EWD6koZanh08jfsNsZSSQVT6hyiN8xULpxHpiRZt93mN0y55jJfiEmpqt # RU+ufR/IE8t1m8nh4Yr4CwyY9Mo+0EWqeh6lWJM2NL4rLisxWGa0MhCfnfBSoe/o # PtN28kBa3PpqPRtLrXawjFzuNrqD6jCoTN7xCypYQYiuAImrA9EWgiAiduteVDgS # YuHScCTb7R9w0mQJgC3itp3OH/K7IfNs29izGXuKUJ/v7DYKXJq3StMIoDl5/d2/ # PToJJQIDAQABo4IDWDCCA1QwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E # BAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwfwYIKwYBBQUHAQEEczBxMCQGCCsG # AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSQYIKwYBBQUHMAKGPWh0 # dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF # VlJvb3RDQS5jcnQwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDBAoD6g # PIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5j # ZUVWUm9vdENBLmNybDCCAcQGA1UdIASCAbswggG3MIIBswYJYIZIAYb9bAMCMIIB # pDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5kaWdpY2VydC5jb20vc3NsLWNwcy1y # ZXBvc2l0b3J5Lmh0bTCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA # ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8A # bgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAA # dABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAA # dABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIAZQBlAG0A # ZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQA # eQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgA # ZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU # j+h+8G0yagAFI8dwl2o6kP9r6tQwHwYDVR0jBBgwFoAUsT7DaQP4v0cB1JgmGggC # 72NkK8MwDQYJKoZIhvcNAQELBQADggEBABkzSgyBMzfbrTbJ5Mk6u7UbLnqi4vRD # Qheev06hTeGx2+mB3Z8B8uSI1en+Cf0hwexdgNLw1sFDwv53K9v515EzzmzVshk7 # 5i7WyZNPiECOzeH1fvEPxllWcujrakG9HNVG1XxJymY4FcG/4JFwd4fcyY0xyQwp # ojPtjeKHzYmNPxv/1eAal4t82m37qMayOmZrewGzzdimNOwSAauVWKXEU1eoYObn # AhKguSNkok27fIElZCG+z+5CGEOXu6U3Bq9N/yalTWFL7EZBuGXOuHmeCJYLgYyK # O4/HmYyjKm6YbV5hxpa3irlhLZO46w4EQ9f1/qbwYtSZaqXBwfBklIAxgg9zMIIP # bwIBATCBgDBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkw # FwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBD # b2RlIFNpZ25pbmcgQ0EgKFNIQTIpAhALhtAE1iqy3BEl7IX117EeMA0GCWCGSAFl # AwQCAQUAoHwwEAYKKwYBBAGCNwIBDDECMAAwGQYJKoZIhvcNAQkDMQwGCisGAQQB # gjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkE # MSIEIKgMxJKN8Se88m79sOo82VnkyOx/i6E+0MPMpkJNww+NMA0GCSqGSIb3DQEB # AQUABIIBADUwLuYKmlOVlLTzK+UgXq3SWK4/Y2ligIVuQCyMRNfNcPEuvfjd42tg # 7eh1ttDK4+QkUHa4eWC7SUFcspstpw2AVm95oI7Kb6tgv6OAjXibZ4hnOGM9VDbW # em5D1DpHy4z5WPDcdP2p9utRTiAfBsvWdInX0gNun7mLixkaocC80O0b8Kz1bUpt # 5EbdDgY4inHn85rP+aSzkcuLlAonUu9lOZeUOiLpneIw7H/xHN2VrtAcSQVjdBvI # 7P7f+pO0dwqi4253bnokpkHDNH0GNv8aMvaf3N2XKKgpzWu2r3KvP1BD2pUI6sU+ # 2SB6VO3G8SJlqaElUs5SMGaJ7MIZTcOhgg1FMIINQQYKKwYBBAGCNwMDATGCDTEw # gg0tBgkqhkiG9w0BBwKggg0eMIINGgIBAzEPMA0GCWCGSAFlAwQCAQUAMHgGCyqG # SIb3DQEJEAEEoGkEZzBlAgEBBglghkgBhv1sBwEwMTANBglghkgBZQMEAgEFAAQg # n/BsYyIiNl3E4svMquojOoTKJol99/wC+YdMcTvar50CEQDBr7QLjQpjKslxj+Dm # wQOAGA8yMDIxMDQyNDA2MzExM1qgggo3MIIE/jCCA+agAwIBAgIQDUJK4L46iP9g # QCHOFADw3TANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM # RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQD # EyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgVGltZXN0YW1waW5nIENBMB4XDTIx # MDEwMTAwMDAwMFoXDTMxMDEwNjAwMDAwMFowSDELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAg # MjAyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLmYYRnxYr1DQik # Rcpja1HXOhFCvQp1dU2UtAxQtSYQ/h3Ib5FrDJbnGlxI70Tlv5thzRWRYlq4/2cL # nGP9NmqB+in43Stwhd4CGPN4bbx9+cdtCT2+anaH6Yq9+IRdHnbJ5MZ2djpT0dHT # WjaPxqPhLxs6t2HWc+xObTOKfF1FLUuxUOZBOjdWhtyTI433UCXoZObd048vV7WH # IOsOjizVI9r0TXhG4wODMSlKXAwxikqMiMX3MFr5FK8VX2xDSQn9JiNT9o1j6Bqr # W7EdMMKbaYK02/xWVLwfoYervnpbCiAvSwnJlaeNsvrWY4tOpXIc7p96AXP4Gdb+ # DUmEvQECAwEAAaOCAbgwggG0MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA # MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMEEGA1UdIAQ6MDgwNgYJYIZIAYb9bAcB # MCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAfBgNV # HSMEGDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjAdBgNVHQ4EFgQUNkSGjqS6sGa+ # vCgtHUQ23eNqerwwcQYDVR0fBGowaDAyoDCgLoYsaHR0cDovL2NybDMuZGlnaWNl # cnQuY29tL3NoYTItYXNzdXJlZC10cy5jcmwwMqAwoC6GLGh0dHA6Ly9jcmw0LmRp # Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtdHMuY3JsMIGFBggrBgEFBQcBAQR5MHcw # JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcw # AoZDaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3Vy # ZWRJRFRpbWVzdGFtcGluZ0NBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEASBzctema # I7znGucgDo5nRv1CclF0CiNHo6uS0iXEcFm+FKDlJ4GlTRQVGQd58NEEw4bZO73+ # RAJmTe1ppA/2uHDPYuj1UUp4eTZ6J7fz51Kfk6ftQ55757TdQSKJ+4eiRgNO/PT+ # t2R3Y18jUmmDgvoaU+2QzI2hF3MN9PNlOXBL85zWenvaDLw9MtAby/Vh/HUIAHa8 # gQ74wOFcz8QRcucbZEnYIpp1FUL1LTI4gdr0YKK6tFL7XOBhJCVPst/JKahzQ1Ha # vWPWH1ub9y4bTxMd90oNcX6Xt/Q/hOvB46NJofrOp79Wz7pZdmGJX36ntI5nePk2 # mOHLKNpbh6aKLzCCBTEwggQZoAMCAQICEAqhJdbWMht+QeQF2jaXwhUwDQYJKoZI # hvcNAQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ # MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNz # dXJlZCBJRCBSb290IENBMB4XDTE2MDEwNzEyMDAwMFoXDTMxMDEwNzEyMDAwMFow # cjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQ # d3d3LmRpZ2ljZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVk # IElEIFRpbWVzdGFtcGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC # ggEBAL3QMu5LzY9/3am6gpnFOVQoV7YjSsQOB0UzURB90Pl9TWh+57ag9I2ziOSX # v2MhkJi/E7xX08PhfgjWahQAOPcuHjvuzKb2Mln+X2U/4Jvr40ZHBhpVfgsnfsCi # 9aDg3iI/Dv9+lfvzo7oiPhisEeTwmQNtO4V8CdPuXciaC1TjqAlxa+DPIhAPdc9x # ck4Krd9AOly3UeGheRTGTSQjMF287DxgaqwvB8z98OpH2YhQXv1mblZhJymJhFHm # gudGUP2UKiyn5HU+upgPhH+fMRTWrdXyZMt7HgXQhBlyF/EXBu89zdZN7wZC/aJT # Kk+FHcQdPK/P2qwQ9d2srOlW/5MCAwEAAaOCAc4wggHKMB0GA1UdDgQWBBT0tuEg # Hf4prtLkYaWyoiWyyBc1bjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823I # DzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAK # BggrBgEFBQcDCDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9v # Y3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHow # eDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJl # ZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDBQBgNVHSAESTBHMDgGCmCGSAGG/WwA # AgQwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAL # BglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggEBAHGVEulRh1Zpze/d2nyqY3qz # eM8GN0CE70uEv8rPAwL9xafDDiBCLK938ysfDCFaKrcFNB1qrpn4J6JmvwmqYN92 # pDqTD/iy0dh8GWLoXoIlHsS6HHssIeLWWywUNUMEaLLbdQLgcseY1jxk5R9IEBhf # iThhTWJGJIdjjJFSLK8pieV4H9YLFKWA1xJHcLN11ZOFk362kmf7U2GJqPVrlsD0 # WGkNfMgBsbkodbeZY4UijGHKeZR+WfyMD+NvtQEmtmyl7odRIeRYYJu6DC0rbaLE # frvEJStHAgh8Sa4TtuF8QkIoxhhWz0E0tmZdtnR79VYzIi8iNrJLokqV2PWmjlIx # ggJNMIICSQIBATCBhjByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQg # SW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2Vy # dCBTSEEyIEFzc3VyZWQgSUQgVGltZXN0YW1waW5nIENBAhANQkrgvjqI/2BAIc4U # APDdMA0GCWCGSAFlAwQCAQUAoIGYMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRAB # BDAcBgkqhkiG9w0BCQUxDxcNMjEwNDI0MDYzMTEzWjArBgsqhkiG9w0BCRACDDEc # MBowGDAWBBTh14Ko4ZG+72vKFpG1qrSUpiSb8zAvBgkqhkiG9w0BCQQxIgQgrteU # 2qE07EaBXrU6SRWPz2AG+aAI4tsRK+5kyYV+F2QwDQYJKoZIhvcNAQEBBQAEggEA # HB/Akxx3BGnQXMWRj72ApWSGOEpPbF+9BTnnFIjs/CU21lK5v9JPVML7f10evxee # U2gkVvsaoLJpQfADgA+9ON7s/m1yMkltTHK+qmvANISCosLpHDhcLFSogaP+MUDu # VtC49JMMeQub0RyLa7sUYL8QGPMyAOskBXUBdUCT3MTUrxKfcgCCI1E4FAiC9pyT # Mtu2vQr9/dJa90ANWgfvWepRo5NBu9ZDcMrB9EteR/idvaMIibfG53lTRtsGsY5J # ZyF/gUni8x9Kz335lNWz5EYqeW9+8BM2Kkxt3sXWXCWj2hL7qq2kbtfpvqm0/0U/ # M1E2y/sCwR6Yl9F9dEG+iA== # SIG # End signature block ScriptBlock ID: ed4c24c2-4b19-411e-bcaa-e16849bb0a74 Path: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Invoke-WithTimeout.ps1 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=75846 Keywords=None Message=Completed invocation of ScriptBlock ID: 65d5f2a9-6add-46cc-b451-65c7af44eb27 Runspace ID: 776da8c2-351e-4da2-b389-86953f603fe6 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=75845 Keywords=None Message=Started invocation of ScriptBlock ID: 65d5f2a9-6add-46cc-b451-65c7af44eb27 Runspace ID: 776da8c2-351e-4da2-b389-86953f603fe6 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=75844 Keywords=None Message=Creating Scriptblock text (2 of 2): JKoZIhvcNAQkE # MSIEIJSk7sBD9xR1sh6++AH2WifJQ6zVYzLVrD7JMNPDG3jTMA0GCSqGSIb3DQEB # AQUABIIBAIV8sGVkaD57debNEQfRx9+3m4PyGkxZb0+1llVgE+sbaYjpMkMWppSR # cijM+mVwG8Vh7rgazyqDbkpSfKpE5mGw0h8ampd3t+oS6CelY9NRn8sKDqPulD4I # BCK4SxSe5DvCw70uuyjWqZR0tX4fAp4N7XqXiFog/kkQcUeGfrUkV9KBtH2IiCiQ # R8oBp0RkIU2GfkPz6/ihLzssWeD4fSr+DVT5EsYouiV2y9Sx4M38RtqU6ZDYpx78 # M+ggfhNLseEjT3lYla+415grO5BJKcPRboXt7UL659m39pL227XMUvRw46en/rGR # EBE+cDYVVjIJmTRFf3DjnT+1ioMT4hmhgg1FMIINQQYKKwYBBAGCNwMDATGCDTEw # gg0tBgkqhkiG9w0BBwKggg0eMIINGgIBAzEPMA0GCWCGSAFlAwQCAQUAMHgGCyqG # SIb3DQEJEAEEoGkEZzBlAgEBBglghkgBhv1sBwEwMTANBglghkgBZQMEAgEFAAQg # KbRBcAb0XwD9xeBjy+z7c5jQaFxo5mSJygUPeHMjHMcCEQCK7+81951wdSHEUQwz # AJFoGA8yMDIxMDQyNDA2MzIyNVqgggo3MIIE/jCCA+agAwIBAgIQDUJK4L46iP9g # QCHOFADw3TANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM # RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQD # EyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgVGltZXN0YW1waW5nIENBMB4XDTIx # MDEwMTAwMDAwMFoXDTMxMDEwNjAwMDAwMFowSDELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAg # MjAyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLmYYRnxYr1DQik # Rcpja1HXOhFCvQp1dU2UtAxQtSYQ/h3Ib5FrDJbnGlxI70Tlv5thzRWRYlq4/2cL # nGP9NmqB+in43Stwhd4CGPN4bbx9+cdtCT2+anaH6Yq9+IRdHnbJ5MZ2djpT0dHT # WjaPxqPhLxs6t2HWc+xObTOKfF1FLUuxUOZBOjdWhtyTI433UCXoZObd048vV7WH # IOsOjizVI9r0TXhG4wODMSlKXAwxikqMiMX3MFr5FK8VX2xDSQn9JiNT9o1j6Bqr # W7EdMMKbaYK02/xWVLwfoYervnpbCiAvSwnJlaeNsvrWY4tOpXIc7p96AXP4Gdb+ # DUmEvQECAwEAAaOCAbgwggG0MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA # MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMEEGA1UdIAQ6MDgwNgYJYIZIAYb9bAcB # MCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAfBgNV # HSMEGDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjAdBgNVHQ4EFgQUNkSGjqS6sGa+ # vCgtHUQ23eNqerwwcQYDVR0fBGowaDAyoDCgLoYsaHR0cDovL2NybDMuZGlnaWNl # cnQuY29tL3NoYTItYXNzdXJlZC10cy5jcmwwMqAwoC6GLGh0dHA6Ly9jcmw0LmRp # Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtdHMuY3JsMIGFBggrBgEFBQcBAQR5MHcw # JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcw # AoZDaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3Vy # ZWRJRFRpbWVzdGFtcGluZ0NBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEASBzctema # I7znGucgDo5nRv1CclF0CiNHo6uS0iXEcFm+FKDlJ4GlTRQVGQd58NEEw4bZO73+ # RAJmTe1ppA/2uHDPYuj1UUp4eTZ6J7fz51Kfk6ftQ55757TdQSKJ+4eiRgNO/PT+ # t2R3Y18jUmmDgvoaU+2QzI2hF3MN9PNlOXBL85zWenvaDLw9MtAby/Vh/HUIAHa8 # gQ74wOFcz8QRcucbZEnYIpp1FUL1LTI4gdr0YKK6tFL7XOBhJCVPst/JKahzQ1Ha # vWPWH1ub9y4bTxMd90oNcX6Xt/Q/hOvB46NJofrOp79Wz7pZdmGJX36ntI5nePk2 # mOHLKNpbh6aKLzCCBTEwggQZoAMCAQICEAqhJdbWMht+QeQF2jaXwhUwDQYJKoZI # hvcNAQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ # MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNz # dXJlZCBJRCBSb290IENBMB4XDTE2MDEwNzEyMDAwMFoXDTMxMDEwNzEyMDAwMFow # cjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQ # d3d3LmRpZ2ljZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVk # IElEIFRpbWVzdGFtcGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC # ggEBAL3QMu5LzY9/3am6gpnFOVQoV7YjSsQOB0UzURB90Pl9TWh+57ag9I2ziOSX # v2MhkJi/E7xX08PhfgjWahQAOPcuHjvuzKb2Mln+X2U/4Jvr40ZHBhpVfgsnfsCi # 9aDg3iI/Dv9+lfvzo7oiPhisEeTwmQNtO4V8CdPuXciaC1TjqAlxa+DPIhAPdc9x # ck4Krd9AOly3UeGheRTGTSQjMF287DxgaqwvB8z98OpH2YhQXv1mblZhJymJhFHm # gudGUP2UKiyn5HU+upgPhH+fMRTWrdXyZMt7HgXQhBlyF/EXBu89zdZN7wZC/aJT # Kk+FHcQdPK/P2qwQ9d2srOlW/5MCAwEAAaOCAc4wggHKMB0GA1UdDgQWBBT0tuEg # Hf4prtLkYaWyoiWyyBc1bjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823I # DzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAK # BggrBgEFBQcDCDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9v # Y3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHow # eDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJl # ZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDBQBgNVHSAESTBHMDgGCmCGSAGG/WwA # AgQwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAL # BglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggEBAHGVEulRh1Zpze/d2nyqY3qz # eM8GN0CE70uEv8rPAwL9xafDDiBCLK938ysfDCFaKrcFNB1qrpn4J6JmvwmqYN92 # pDqTD/iy0dh8GWLoXoIlHsS6HHssIeLWWywUNUMEaLLbdQLgcseY1jxk5R9IEBhf # iThhTWJGJIdjjJFSLK8pieV4H9YLFKWA1xJHcLN11ZOFk362kmf7U2GJqPVrlsD0 # WGkNfMgBsbkodbeZY4UijGHKeZR+WfyMD+NvtQEmtmyl7odRIeRYYJu6DC0rbaLE # frvEJStHAgh8Sa4TtuF8QkIoxhhWz0E0tmZdtnR79VYzIi8iNrJLokqV2PWmjlIx # ggJNMIICSQIBATCBhjByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQg # SW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2Vy # dCBTSEEyIEFzc3VyZWQgSUQgVGltZXN0YW1waW5nIENBAhANQkrgvjqI/2BAIc4U # APDdMA0GCWCGSAFlAwQCAQUAoIGYMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRAB # BDAcBgkqhkiG9w0BCQUxDxcNMjEwNDI0MDYzMjI1WjArBgsqhkiG9w0BCRACDDEc # MBowGDAWBBTh14Ko4ZG+72vKFpG1qrSUpiSb8zAvBgkqhkiG9w0BCQQxIgQgskQ6 # QEzTOMdB7WTy2IqM8wp4//dMyofOmzx7Sv5yLaYwDQYJKoZIhvcNAQEBBQAEggEA # qqLs48KONZWtUQCftg7xCU8ih69pF8pX0oM8sBIpxFUlSoe6rGM0RveQhHthDATy # jYV382RqqpU6+riyBfy4q2gtgB+YhKqlmmaFgAUA44ntrBpr41lF3w+/7S19YM+G # 08ebrSfemf7v0kQ1SNQaqLHpViXTlTtVmshFtjpJx6/fO3xRcfzrTHZQQ4BeKr9q # SjbHBYBw/EGnYEgcsZx17LRLIDnjUrApraMLDRTZHyj9vKGIo0EcxkK4rqvVtr2x # GxMqP4Kc/QnneD3gFzu9EVBYSlE+JNkfCOYWAEX+YSCybgJ4QeFHClgJip+OXeJ5 # vsvDybXLIY1LgUYDtYDxbw== # SIG # End signature block ScriptBlock ID: 65d5f2a9-6add-46cc-b451-65c7af44eb27 Path: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Invoke-Userdata.ps1 06/14/2021 09:12:12 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-750.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-4136988096-2792923612-3870251217-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=75843 Keywords=None Message=Creating Scriptblock text (1 of 2): # Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Amazon Software License (the "License"). # You may not use this file except in compliance with the License. # A copy of the License is located at # # http://aws.amazon.com/asl/ # # or in the "license" file accompanying this file. This file is distributed # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either # express or implied. See the License for the specific language governing # permissions and limitations under the License. <#----------------------------------------------------------------------------------------------------------- Invoke-Userdata retrieves and executes the userdata from metadata Currently, it supports powershell (+ with argument) and batch script. -------------------------------------------------------------------------------------------------------------#> function Invoke-Userdata { param ( [Parameter(Mandatory=$false, Position=0)] [string] $Username, [Parameter(Mandatory=$false, Position=1)] [string] $Password, [Parameter(Mandatory=$false)] [switch] $OnlyUnregister, [Parameter(Mandatory=$false)] [switch] $OnlyExecute, [Parameter(Mandatory=$false)] [switch] $FromPersist ) $handleUserDataState = Get-LaunchConfig -Key HandleUserData if (!$handleUserDataState) { Write-Log "Handle user data is disabled" return $false } # Before calling any function, initialize the log with filename Initialize-Log -Filename "UserdataExecution.log" try { $scheduleName = "Userdata Execution" if ($OnlyUnregister) { Register-FunctionScheduler -Function $MyInvocation.MyCommand -ScheduleName $scheduleName -Unregister return $null } Write-Log "Userdata execution begins" $regexFormat = "(?is){0}(.*?){1}" $powershellContent= "" $powershellArgs = "" $batchContent = "" $fileLocation = Join-Path $env:LOCALAPPDATA -ChildPath "Temp\Amazon\EC2-Windows\Launch\InvokeUserData" New-Item -Item Directory $fileLocation -Force # Add Administrators, LocalSystem, and Current User FullControl $ACL = Get-Acl -Path $fileLocation $LocalSystem = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-18' $AllowLocalSystemFullControl = New-Object System.Security.AccessControl.FileSystemAccessRule( $LocalSystem, [System.Security.AccessControl.FileSystemRights]::FullControl, ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow ) $AdministratorsGroup = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $AllowAdministratorsFullControl = New-Object System.Security.AccessControl.FileSystemAccessRule( $AdministratorsGroup, [System.Security.AccessControl.FileSystemRights]::FullControl, ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow ) $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().User $AllowCurrentUserFullControl = New-Object System.Security.AccessControl.FileSystemAccessRule( $CurrentUser, [System.Security.AccessControl.FileSystemRights]::FullControl, ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow ) $ACL.AddAccessRule($AllowLocalSystemFullControl) $ACL.AddAccessRule($AllowAdministratorsFullControl) $ACL.AddAccessRule($AllowCurrentUserFullControl) (Get-Item $fileLocation).SetAccessControl($ACL) # Remove inheritance and dont keep inherited permissions $ACL = Get-Acl -Path $fileLocation $ACL.SetAccessRuleProtection($true,$false) (Get-Item $fileLocation).SetAccessControl($ACL) $userdata = Get-Metadata -UrlFragment "user-data" if (-not $userdata) { # If no userdata is provided, unregister the scheduled task if scheduled before. Register-FunctionScheduler -Function $MyInvocation.MyCommand -ScheduleName $scheduleName -Unregister throw New-Object System.Exception("Userdata was not provided") } $userdataContent = $userdata.Trim() # Userdata is executed as local admin by default # But if password is empty, userdata is exeucted as local system by default $runAsLocalSystem = -not $Username -or -not $Password $persist = $false # Userdata can be persistent if tag is specified in userdata. # Parse persist from userdata and schedule a task if persist is true $persistRegex = [regex] ($regexFormat -f "", "") $persistMatch = $persistRegex.Matches($userdataContent) if ($persistMatch.Success -and $persistMatch.Captures.Count -eq 1 -and $persistMatch.Groups.Count -eq 2) { $persistValue = $persistMatch.Groups[1].Value Write-Log (" tag was provided: {0}" -f $persistValue) if ($persistValue -ieq "true") { Write-Log "Running userdata on every boot" $persist = $true } } else { Write-Log "Zero or more than one tag was not provided" } # If we are only executing (running per boot), don't schedule as a separate task if persist is true if ($OnlyExecute) { Write-Log ("Persist is {0}, executing inline and not as a separate task" -f $persist) } elseif ($persist) { Register-FunctionScheduler -Function $MyInvocation.MyCommand -Arguments "-FromPersist" -ScheduleName $scheduleName } else { Write-Log "Unregistering the persist scheduled task" Register-FunctionScheduler -Function $MyInvocation.MyCommand -ScheduleName $scheduleName -Unregister if ($FromPersist) { # If the function was called from scheduled task and persist tag is not found, don't execute it at all. return $persist } } # Parse runAsLocalSystem from userdata $runAsLocalSystemRegex = [regex] ($regexFormat -f "", "") $runAsLocalSystemMatch = $runAsLocalSystemRegex.Matches($userdataContent) if ($runAsLocalSystemMatch.Success -and $runAsLocalSystemMatch.Captures.Count -eq 1 -and $runAsLocalSystemMatch.Groups.Count -eq 2) { $runAsLocalSystemValue = $runAsLocalSystemMatch.Groups[1].Value Write-Log (" tag was provided: {0}" -f $runAsLocalSystemValue) if ($runAsLocalSystemValue -ieq "true") { Write-Log "Running userdata as local system" $runAsLocalSystem = $true } } else { Write-Log "Zero or more than one tag was not provided" } # Parse script from userdata $scriptRegex = [regex] ($regexFormat -f "") $scriptMatch = $scriptRegex.Matches($userdataContent) if ($scriptMatch.Success -and $scriptMatch.Captures.Count -eq 1) { $batchContent = $scriptMatch.Groups[1].Value } else { Write-Log "Zero or more than one