-
Notifications
You must be signed in to change notification settings - Fork 2
/
part3_S1_PS_script_block_log.txt
1 lines (1 loc) · 6.41 KB
/
part3_S1_PS_script_block_log.txt
1
MSWinEventLog: Windows10Pro 0 Microsoft-Windows-PowerShell/Operational 2166 Sat Jul 24 17:22:02 EDT 2021 4104 Microsoft-Windows-PowerShell NT AUTHORITY\SYSTEM User Warning █████ Execute a Remote Command On create calls Creating Scriptblock text (3 of 3): bAEMAaABBAHIAXQAoAFsAYgB5AHQARQBdADAAeAA2ADUAKQArAFsAYwBoAEEAcgBdACgAWwBiAFkAVABFAF0AMAB4ADYAZAApACsAWwBjAEgAYQByAF0AKABbAGIAeQBUAEUAXQAwAHgANgA1ACkAKwBbAGMASABhAHIAXQAoAFsAQgB5AHQARQBdADAAeAA2AGUAKQArAFsAYwBoAGEAUgBdACgAWwBCAHkAVABlAF0AMAB4ADcANAApACkALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AJAAoACcAwgBtAHMA7gBVAHQA7ABsAHMAJwAuAE4AbwByAG0AQQBsAEkAWgBlACgAWwBDAEgAQQByAF0AKAA3ADAAKQArAFsAQwBIAGEAUgBdACgAMQAxADEAKwAzADcALQAzADcAKQArAFsAQwBoAEEAUgBdACgAWwBiAHkAVABFAF0AMAB4ADcAMgApACsAWwBjAGgAYQBSAF0AKAAxADAAOQApACsAWwBDAEgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAGEAUgBdACgAOAAzACsAOQApACsAWwBjAGgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAwACkAKwBbAGMASABBAFIAXQAoADEAMgAzACkAKwBbAGMAaABBAFIAXQAoADcANwApACsAWwBDAEgAYQByAF0AKAAzADkAKwA3ADEAKQArAFsAQwBIAGEAUgBdACgAWwBiAFkAVABlAF0AMAB4ADcAZAApACkAIgApAC4ARwBlAHQARgBpAGUAbABkACgAJAAoAFsAYwBoAGEAcgBdACgAOQA3ACoANwA3AC8ANwA3ACkAKwBbAEMASABBAFIAXQAoADEAMAA5ACsAMQAwADAALQAxADAAMAApACsAWwBDAGgAYQByAF0AKAAxADEANQApACsAWwBjAEgAQQBSAF0AKABbAEIAWQBUAEUAXQAwAHgANgA5ACkAKwBbAGMASABhAHIAXQAoAFsAYgB5AHQARQBdADAAeAA0ADkAKQArAFsAYwBIAEEAUgBdACgAWwBiAFkAdABlAF0AMAB4ADYAZQApACsAWwBDAEgAQQByAF0AKAAxADAANQArADEANwAtADEANwApACsAWwBDAGgAQQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANwA0ACkAKwBbAGMASABhAFIAXQAoAFsAQgB5AFQAZQBdADAAeAA0ADYAKQArAFsAYwBIAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAMQApACsAWwBDAEgAQQByAF0AKAAxADAANQApACsAWwBDAEgAQQByAF0AKABbAEIAeQBUAGUAXQAwAHgANgBjACkAKwBbAGMASABBAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADUAKQArAFsAQwBIAGEAUgBdACgAWwBiAFkAVABlAF0AMAB4ADYANAApACkALAAiAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAIgApAC4ARwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACkAOwA=")) | iex $local:Context = [system.teXt.EnCoDiNG]::uniCoDe.gETsTRiNg([SySTEM.CoNVErT]::fROMbaSe64STriNg("IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAcwBlAGMAbwBuAGQAIABSAGUAZgBsAGUAYwB0AGkAbwBuACAAbQBlAHQAaABvAGQAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiACQAKABbAGMAaABhAFIAXQAoAFsAYgB5AHQARQBdADAAeAA1ADMAKQArAFsAYwBIAGEAcgBdACgAWwBiAHkAdABFAF0AMAB4ADcAOQApACsAWwBjAEgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAzACkAKwBbAGMASABhAHIAXQAoAFsAYgBZAHQARQBdADAAeAA3ADQAKQArAFsAYwBoAGEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYANQApACsAWwBjAGgAYQBSAF0AKAAxADAAOQArADEAMAAtADEAMAApACsAWwBjAGgAQQBSAF0AKAA0ADYAKgAyADYALwAyADYAKQArAFsAYwBoAGEAcgBdACgAWwBCAFkAdABFAF0AMAB4ADQAZAApACsAWwBjAGgAYQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgAxACkAKwBbAEMASABBAHIAXQAoADkAMwArADEANwApACsAWwBDAGgAQQByAF0AKAA5ADcAKQArAFsAYwBoAGEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADYANwApACsAWwBjAGgAYQByAF0AKAA4ADUAKwAxADYAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAZAApACsAWwBjAEgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANgA1ACkAKwBbAEMASABhAFIAXQAoAFsAYgBZAHQAZQBdADAAeAA2AGUAKQArAFsAQwBoAEEAUgBdACgAMwA2ACsAOAAwACkAKQAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAQQBSAF0AKABbAGIAWQBUAEUAXQAwAHgANAAxACkAKwBbAEMASABBAFIAXQAoAFsAYgB5AHQARQBdADAAeAA2AGQAKQArAFsAQwBoAEEAUgBdACgAMQAxADUAKQArAFsAYwBoAGEAcgBdACgANQA1ACsANQAwACkAKwBbAEMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA1ADUAKQArAFsAQwBIAGEAUgBdACgAMQAxADYAKgA3ADUALwA3ADUAKQArAFsAYwBIAGEAUgBdACgAWwBiAHkAdABFAF0AMAB4ADYAOQApACsAWwBDAEgAQQBSAF0AKABbAGIAeQB0AGUAXQAwAHgANgBjACkAKwBbAGMAaABBAFIAXQAoAFsAYgB5AFQARQBdADAAeAA3ADMAKQApACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAYwBIAGEAcgBdACgAOQA3ACsANgAyAC0ANgAyACkAKwBbAEMASABhAHIAXQAoADEANgArADkAMwApACsAWwBDAGgAQQBSAF0AKABbAEIAeQB0AEUAXQAwAHgANwAzACkAKwBbAGMASABhAFIAXQAoAFsAYgB5AFQAZQBdADAAeAA2ADkAKQArAFsAYwBoAGEAUgBdACgAWwBCAHkAdABFAF0AMAB4ADQAMwApACsAWwBDAGgAYQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgBmACkAKwBbAEMAaABBAFIAXQAoAFsAYgB5AHQAZQBdADAAeAA2AGUAKQArAFsAYwBIAGEAUgBdACgAMQAxADYAKQArAFsAYwBIAGEAUgBdACgAMQAyACsAOAA5ACkAKwBbAEMASABBAHIAXQAoADEAMgAwACsAMQAyAC0AMQAyACkAKwBbAGMAaABhAHIAXQAoAFsAQgBZAHQAZQBdADAAeAA3ADQAKQApACIALABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBCAGkAbgBkAGkAbgBnAEYAbABhAGcAcwBdACIATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAiACkALgBHAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwAKQA7AA==")) | iex if ($local:Context -eq 0) { } elseif (!$local:InitFailed) { $local:ContextHeader = [Runtime.InteropServices.Marshal]::ReadInt32($local:Context) $local:Bypassed = ($local:ContextHeader -ne 0x49534d41) Remove-Variable ContextHeader -Scope local -Confirm:$false } else { $local:Bypassed = $true } if ($local:Bypassed) { try { '' | out-file ':::::\windows\sentinel\7' } catch {} } Remove-Variable Context -Scope local -Confirm:$false Remove-Variable InitFailed -Scope local -Confirm:$false Remove-Variable Bypassed -Scope local -Confirm:$false while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null $local:PowerSploitIndicators = ( "Invoke-DllInjection", "Invoke-ReflectivePEInjection", "Invoke-Shellcode", "Invoke-WmiCommand", "Out-EncodedCommand", "Out-CompressedDll", "Out-EncryptedScript", "Remove-Comment", "New-UserPersistenceOption", "New-ElevatedPersistenceOption", "Add-Persistence", "Install-SSP", "Get-SecurityPackages", "Find-AVSignature", "Invoke-TokenManipulation", "Invoke-CredentialInjection", "Invoke-NinjaCopy", "Invoke-Mimikatz", "Get-Keystrokes", "Get-GPPPassword", "Get-GPPAutologon", "Get-TimedScreenshot", "New-VolumeShadowCopy", "Get-VolumeShadowCopy", "Mount-VolumeShadowCopy", "Remove-VolumeShadowCopy", "Get-VaultCredential", "Out-Minidump", "Get-MicrophoneAudio", "Set-MasterBootRecord", "Set-CriticalProcess", "Invoke-Portscan", "Get-HttpStatus", "Invoke-ReverseDnsLookup", "Get-ProcessTokenGroup", "Get-System", "Invoke-Kerberoast" ) foreach ($item in $local:PowerSploitIndicators) { Set-PSBreakpoint -Command $item -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count try { '' | out-file ':::::\windows\sentinel\8' } catch {} while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false} } | Out-Null }; if ($(Get-ExecutionPolicy MachinePolicy) -eq 'Undefined' -and $(Get-ExecutionPolicy UserPolicy) -eq 'Undefined') { Set-ExecutionPolicy -Scope Process 'Undefined' if ($env:origPSExecutionPolicyPreference) { try {Set-ExecutionPolicy -Scope Process -ExecutionPolicy $env:origPSExecutionPolicyPreference -Force} catch {} try { Remove-Item Env:\origPSExecutionPolicyPreference -ErrorAction SilentlyContinue | Out-Null } catch {} } } ScriptBlock ID: e4a883cd-ac6e-4bfb-bcf7-8fbdd748ae94 Path: 2558684