06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78229 Keywords=None Message=Completed invocation of ScriptBlock ID: 85e07c0f-5d15-4d7a-8123-8fe946eb3d63 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78228 Keywords=None Message=Started invocation of ScriptBlock ID: 85e07c0f-5d15-4d7a-8123-8fe946eb3d63 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78227 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: 85e07c0f-5d15-4d7a-8123-8fe946eb3d63 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78226 Keywords=None Message=Completed invocation of ScriptBlock ID: 3c167284-05e0-4515-bd67-ee3d750f2763 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78225 Keywords=None Message=Completed invocation of ScriptBlock ID: ab0b5591-4ff1-4f6f-9295-ad7dee1a56c1 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78224 Keywords=None Message=Completed invocation of ScriptBlock ID: c7cefc3d-cd47-49cf-b8d5-38917a55dde3 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78223 Keywords=None Message=Completed invocation of ScriptBlock ID: 41f460ce-4f12-4c3e-8bd4-338f74e71f5c Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78222 Keywords=None Message=Completed invocation of ScriptBlock ID: 2b01afff-62d8-45a4-87a2-910c901a02ea Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78221 Keywords=None Message=Completed invocation of ScriptBlock ID: 025a87e9-108f-4fca-bfd4-fdd61cfec9d9 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78220 Keywords=None Message=Completed invocation of ScriptBlock ID: ff80cfd6-2677-4d12-94f4-d3d8adedeccc Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78219 Keywords=None Message=Completed invocation of ScriptBlock ID: 1cc88404-ee12-46ad-bc1d-d5d0712e4ede Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78218 Keywords=None Message=Completed invocation of ScriptBlock ID: 1f978d59-8cad-4ed0-b87c-9933ed3b9465 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78217 Keywords=None Message=Completed invocation of ScriptBlock ID: 2dd50d4c-652f-4960-a8f1-233dbe79f2e2 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78216 Keywords=None Message=Completed invocation of ScriptBlock ID: 863a42e0-03b0-4574-b0cd-49889fdb9d6f Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78215 Keywords=None Message=Completed invocation of ScriptBlock ID: f60ac70b-0488-41b9-b8c2-d500701dd314 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78214 Keywords=None Message=Completed invocation of ScriptBlock ID: cd74f704-8008-4371-a7d8-eb2a395a2c41 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78213 Keywords=None Message=Completed invocation of ScriptBlock ID: aac83821-ece7-4ad2-9b2a-ac750662743c Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78212 Keywords=None Message=Started invocation of ScriptBlock ID: aac83821-ece7-4ad2-9b2a-ac750662743c Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78211 Keywords=None Message=Completed invocation of ScriptBlock ID: 80ece5c4-3040-450b-b699-6e76c76c42db Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78210 Keywords=None Message=Started invocation of ScriptBlock ID: 80ece5c4-3040-450b-b699-6e76c76c42db Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78209 Keywords=None Message=Started invocation of ScriptBlock ID: ab0b5591-4ff1-4f6f-9295-ad7dee1a56c1 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78208 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: ab0b5591-4ff1-4f6f-9295-ad7dee1a56c1 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78207 Keywords=None Message=Started invocation of ScriptBlock ID: c7cefc3d-cd47-49cf-b8d5-38917a55dde3 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78206 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: c7cefc3d-cd47-49cf-b8d5-38917a55dde3 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78205 Keywords=None Message=Started invocation of ScriptBlock ID: 41f460ce-4f12-4c3e-8bd4-338f74e71f5c Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78204 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 41f460ce-4f12-4c3e-8bd4-338f74e71f5c Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78203 Keywords=None Message=Started invocation of ScriptBlock ID: 2b01afff-62d8-45a4-87a2-910c901a02ea Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78202 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 2b01afff-62d8-45a4-87a2-910c901a02ea Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78201 Keywords=None Message=Started invocation of ScriptBlock ID: 025a87e9-108f-4fca-bfd4-fdd61cfec9d9 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78200 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 025a87e9-108f-4fca-bfd4-fdd61cfec9d9 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78199 Keywords=None Message=Started invocation of ScriptBlock ID: ff80cfd6-2677-4d12-94f4-d3d8adedeccc Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78198 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: ff80cfd6-2677-4d12-94f4-d3d8adedeccc Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78197 Keywords=None Message=Started invocation of ScriptBlock ID: 1cc88404-ee12-46ad-bc1d-d5d0712e4ede Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78196 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 1cc88404-ee12-46ad-bc1d-d5d0712e4ede Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78195 Keywords=None Message=Started invocation of ScriptBlock ID: 1f978d59-8cad-4ed0-b87c-9933ed3b9465 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78194 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 1f978d59-8cad-4ed0-b87c-9933ed3b9465 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78193 Keywords=None Message=Started invocation of ScriptBlock ID: 2dd50d4c-652f-4960-a8f1-233dbe79f2e2 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78192 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 2dd50d4c-652f-4960-a8f1-233dbe79f2e2 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78191 Keywords=None Message=Started invocation of ScriptBlock ID: 863a42e0-03b0-4574-b0cd-49889fdb9d6f Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78190 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: 863a42e0-03b0-4574-b0cd-49889fdb9d6f Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78189 Keywords=None Message=Started invocation of ScriptBlock ID: f60ac70b-0488-41b9-b8c2-d500701dd314 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78188 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: f60ac70b-0488-41b9-b8c2-d500701dd314 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78187 Keywords=None Message=Started invocation of ScriptBlock ID: cd74f704-8008-4371-a7d8-eb2a395a2c41 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78186 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue ScriptBlock ID: cd74f704-8008-4371-a7d8-eb2a395a2c41 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78185 Keywords=None Message=Completed invocation of ScriptBlock ID: 5c9ecefe-f30c-4c0c-844c-bbe8231b6344 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78184 Keywords=None Message=Started invocation of ScriptBlock ID: 5c9ecefe-f30c-4c0c-844c-bbe8231b6344 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78183 Keywords=None Message=Started invocation of ScriptBlock ID: 3c167284-05e0-4515-bd67-ee3d750f2763 Runspace ID: bae408a8-8b09-4d7f-a10b-9a83fe9d1c07 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78182 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-CimInstance Win32_ShadowCopy | Remove-CimInstance ScriptBlock ID: 3c167284-05e0-4515-bd67-ee3d750f2763 Path: 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=78181 Keywords=None Message=PowerShell console is ready for user input 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=78180 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 5896 in AppDomain: DefaultAppDomain. 06/21/2021 02:30:42 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=78179 Keywords=None Message=PowerShell console is starting up 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78242 Keywords=None Message=Completed invocation of ScriptBlock ID: 2ea09666-1a11-48e7-9103-9467a5b6c49d Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78241 Keywords=None Message=Completed invocation of ScriptBlock ID: 2c620181-60c5-4f78-a7c7-99ccfcd07485 Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78240 Keywords=None Message=Started invocation of ScriptBlock ID: 2c620181-60c5-4f78-a7c7-99ccfcd07485 Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78239 Keywords=None Message=Completed invocation of ScriptBlock ID: f6b005da-c7b1-4a2c-9564-d81222b7e9ec Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78238 Keywords=None Message=Started invocation of ScriptBlock ID: f6b005da-c7b1-4a2c-9564-d81222b7e9ec Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78237 Keywords=None Message=Started invocation of ScriptBlock ID: 2ea09666-1a11-48e7-9103-9467a5b6c49d Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78236 Keywords=None Message=Completed invocation of ScriptBlock ID: f67e8624-ba4a-4331-ae24-39e3345227fd Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78235 Keywords=None Message=Started invocation of ScriptBlock ID: f67e8624-ba4a-4331-ae24-39e3345227fd Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78234 Keywords=None Message=Started invocation of ScriptBlock ID: 6a1dc8ed-bd7c-431b-b0b9-f0fb57869fd4 Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78233 Keywords=None Message=Creating Scriptblock text (1 of 1): Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol ScriptBlock ID: 6a1dc8ed-bd7c-431b-b0b9-f0fb57869fd4 Path: 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=78232 Keywords=None Message=PowerShell console is ready for user input 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=78231 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 1900 in AppDomain: DefaultAppDomain. 06/21/2021 02:30:52 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=78230 Keywords=None Message=PowerShell console is starting up 06/21/2021 02:31:10 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78246 Keywords=None Message=Completed invocation of ScriptBlock ID: 1b8489ea-ec80-4035-a8ed-1b516d23eafe Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:31:10 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=78245 Keywords=None Message=Started invocation of ScriptBlock ID: 1b8489ea-ec80-4035-a8ed-1b516d23eafe Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73 06/21/2021 02:31:10 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=78244 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: 1b8489ea-ec80-4035-a8ed-1b516d23eafe Path: 06/21/2021 02:31:10 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-385.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-792582155-850038707-153534265-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=78243 Keywords=None Message=Completed invocation of ScriptBlock ID: 6a1dc8ed-bd7c-431b-b0b9-f0fb57869fd4 Runspace ID: 7a132d68-003f-4f7e-88e6-13e4e2ab1c73