-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathparsed.json
52 lines (52 loc) · 3.53 KB
/
parsed.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{
"RenderingInfo": {
"Culture": "en-US"
},
"Task": "106",
"Correlation": {
"ActivityID": "{B3FA0929-222B-0002-D80C-FAB32B22D701}"
},
"Keywords": "0x0",
"Channel": "Microsoft-Windows-PowerShell/Operational",
"Opcode": "20",
"Security": {
"UserID": "S-1-5-21-1568124518-47167176-2301812064-500"
},
"EventData": {
"Payload": "CommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"TypeDefinition\"; value=\"using System;\nusing System.ComponentModel;\nusing System.Runtime.InteropServices;\n\nnamespace Ansible.Command {\n public class SymLinkHelper {\n [DllImport(\"kernel32.dll\", CharSet=CharSet.Unicode, SetLastError=true)]\n public static extern bool DeleteFileW(string lpFileName);\n\n [DllImport(\"kernel32.dll\", CharSet=CharSet.Unicode, SetLastError=true)]\n public static extern bool RemoveDirectoryW(string lpPathName);\n\n public static void DeleteDirectory(string path) {\n if (!RemoveDirectoryW(path))\n throw new Exception(String.Format(\"RemoveDirectoryW({0}) failed: {1}\", path, new Win32Exception(Marshal.GetLastWin32Error()).Message));\n }\n\n public static void DeleteFile(string path) {\n if (!DeleteFileW(path))\n throw new Exception(String.Format(\"DeleteFileW({0}) failed: {1}\", path, new Win32Exception(Marshal.GetLastWin32Error()).Message));\n }\n }\n}\"",
"ContextInfo": {
"Runspace ID": "3fe0b8d7-99ec-4a5b-b884-519c54b81b30",
"User": "ATTACKRANGE\\Administrator",
"Engine Version": "5.1.14393.3866",
"Host ID": "8b3eca31-5ae7-4673-9c7e-fd045c7d2edf",
"Command Path": "",
"Severity": "Informational",
"Host Name": "Default Host",
"Shell ID": "Microsoft.PowerShell",
"Sequence Number": "34",
"Command Type": "Cmdlet",
"Pipeline ID": "6",
"Connected User": "",
"Host Version": "5.1.14393.3866",
"Host Application": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==",
"Script Name": "C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1",
"Command Name": "Add-Type"
}
},
"Provider": {
"Guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"Name": "Microsoft-Windows-PowerShell"
},
"TimeCreated": {
"SystemTime": "2021-03-26T10:40:25.381297100Z"
},
"EventRecordID": "62141",
"Execution": {
"ThreadID": "4492",
"ProcessID": "3272"
},
"Version": "1",
"Computer": "win-dc-683.attackrange.local",
"EventID": "4103",
"Level": "4"
}