-
Notifications
You must be signed in to change notification settings - Fork 2
/
part2_S1_PS_script_block_log.txt
1 lines (1 loc) · 11.5 KB
/
part2_S1_PS_script_block_log.txt
1
MSWinEventLog: Windows10Pro 0 Microsoft-Windows-PowerShell/Operational 2165 Sat Jul 24 17:22:02 EDT 2021 4104 Microsoft-Windows-PowerShell NT AUTHORITY\SYSTEM User Warning █████ Execute a Remote Command On create calls Creating Scriptblock text (2 of 3): $script:ImportedScript, $script:ResultIDs, $script:MissedCheckins)) { if ($item -ne $null) { $counter += 1 } }; if ($counter -ge 3) { try { '' | out-file ':::::\windows\sentinel\1' } catch {} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false} ; . { $local:PreviousErrCount = $error.count if ($SOFTWARENAME -match "ShinoBOT" -or $URL -match "ShinoBOT") { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } $local:counter = 0 foreach ($item in $($REGISTRYNAMEHOSTID, $REGISTRYNAMEPASSWORD, $IDDELIMITER, $COMMANDSDELIMITER, $HostID, $dojob)) { if ($item -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Variable 'IDDELIMITER' -Mode write -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count if ($SOFTWARENAME -match "ShinoBOT" -or $URL -match "ShinoBOT") { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } $local:counter = 0 foreach ($item in $($REGISTRYNAMEHOSTID, $REGISTRYNAMEPASSWORD, $IDDELIMITER, $COMMANDSDELIMITER, $HostID, $dojob)) { if ($item -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Variable 'COMMANDSDELIMITER' -Mode write -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count if ($SOFTWARENAME -match "ShinoBOT" -or $URL -match "ShinoBOT") { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } $local:counter = 0 foreach ($item in $($REGISTRYNAMEHOSTID, $REGISTRYNAMEPASSWORD, $IDDELIMITER, $COMMANDSDELIMITER, $HostID, $dojob)) { if ($item -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Variable 'dojob' -Mode write -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count if ($SOFTWARENAME -match "ShinoBOT" -or $URL -match "ShinoBOT") { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } $local:counter = 0 foreach ($item in $($REGISTRYNAMEHOSTID, $REGISTRYNAMEPASSWORD, $IDDELIMITER, $COMMANDSDELIMITER, $HostID, $dojob)) { if ($item -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Init' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count if ($SOFTWARENAME -match "ShinoBOT" -or $URL -match "ShinoBOT") { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } $local:counter = 0 foreach ($item in $($REGISTRYNAMEHOSTID, $REGISTRYNAMEPASSWORD, $IDDELIMITER, $COMMANDSDELIMITER, $HostID, $dojob)) { if ($item -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch {} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-DelegateType' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count try { '' | out-file ':::::\windows\sentinel\2' } catch {} while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Variable 'HTMLReport' -Mode write -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-RegAlwaysInstallElevated' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-VulnSchTask' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-VulnAutoRun' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Invoke-ServiceAbuse' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-ModifiableFile' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Invoke-AllChecks' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:counter = 0 foreach ($item in $('Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-ServiceUnquoted','Invoke-AllChecks','Write-UserAddMSI','Find-DLLHijack','Find-PathHijack','Write-ServiceEXE','Get-RegAlwaysInstallElevated','Get-ModifiableFile','Invoke-ServiceAbuse','Write-HijackDll','Get-VulnSchTask','Get-VulnAutoRun','Get-UnattendedInstallFile')) { if ($(get-command $item -ErrorAction SilentlyContinue) -ne $null) { $counter += 1 } }; if ($counter -ge 4) { try { '' | out-file ':::::\windows\sentinel\3' } catch{} } while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-Keystrokes' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count try { '' | out-file ':::::\windows\sentinel\2' } catch {} while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Variable 'Powershell' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count if ($Script -match 'Get-DelegateType') { try { '' | out-file ':::::\windows\sentinel\2' } catch {}} while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Command 'Get-ProcessTokenGroup' -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count try { '' | out-file ':::::\windows\sentinel\6' } catch {} while ($PreviousErrCount -ne $error.count) { $error.remove($error[0]) } Remove-Variable PreviousErrCount -Scope local -Confirm:$false}} | Out-Null Set-PSBreakpoint -Variable 'PSDefaultParameterValues' -Mode Read -Action { <#sentinelbreakpoints#> . { $local:PreviousErrCount = $error.count $local:Bypassed = $false $local:InitFailed = [system.teXt.EnCoDiNG]::uniCoDe.gETsTRiNg([SySTEM.CoNVErT]::fROMbaSe64STriNg("IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAUgBlAGYAbABlAGMAdABpAG8AbgAgAG0AZQB0AGgAbwBkACAACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAIgAkACgAWwBDAEgAQQByAF0AKAA4ADMAKQArAFsAQwBoAGEAUgBdACgAWwBCAFkAdABlAF0AMAB4ADcAOQApACsAWwBDAEgAQQByAF0AKABbAGIAWQBUAEUAXQAwAHgANwAzACkAKwBbAEMAaABBAHIAXQAoADEAMQA2ACsANQA5AC0ANQA5ACkAKwBbAEMASABhAFIAXQAoAFsAYgB5AHQAZQBdADAAeAA2ADUAKQArAFsAYwBoAGEAUgBdACgAWwBiAFkAVABFAF0AMAB4ADYAZAApACsAWwBDAEgAQQBSAF0AKAA0ADYAKgAyADkALwAyADkAKQArAFsAYwBoAGEAcgBdACgANwA3ACkAKwBbAEMAaABhAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA2ADEAKQArAFsAYwBIAEEAUgBdACgANQA0ACsANQA2ACkAKwBbAGMASABhAFIAXQAoADgANAArADEAMwApACsAWwBDAGgAYQBSAF0AKABbAGIAWQBUAGUAXQAwAHgANgA3ACkAKwB ScriptBlock ID: e4a883cd-ac6e-4bfb-bcf7-8fbdd748ae94 Path: 2558683