-
Notifications
You must be signed in to change notification settings - Fork 0
/
snaffler.tsv
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 14.
37 lines (37 loc) · 10 KB
/
snaffler.tsv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[child\ffast@client1] 2023-10-03 08:04:35Z [Info] Parsing args...
[child\ffast@client1] 2023-10-03 08:04:36Z [Info] Parsed args successfully.
[child\ffast@client1] 2023-10-03 08:04:36Z [Info] Starting to look for readable shares...
[child\ffast@client1] 2023-10-03 08:04:36Z [Info] Created all sharefinder tasks.
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Black \\fs1.child.testlab.local\ADMIN$
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\ADMIN$ R
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Black \\fs1.child.testlab.local\C$
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\C$ R
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\D$ R
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\ORG R
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\Share1$ R
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\SOFTWARE R
[child\ffast@client1] 2023-10-03 08:04:36Z [Share] Green \\fs1.child.testlab.local\TRANSFER R
[child\ffast@client1] 2023-10-03 08:04:46Z [File] Red KeepPassOrKeyInCode R passw?o?r?d?>\s*[^\s<]+\s*< 6557 2023-05-30 23:04:18Z \\fs1.child.testlab.local\ADMIN$\Panther\unattend.xml "http://schemas\.microsoft\.com/2009/05/WindowsAzure/ServiceManagement"\ xmlns:wa="http://schemas\.microsoft\.com/windowsazure">\*SENSITIVE\*DATA\*DELETED\*</AdministratorPassword>\r\n</UserAccounts><AutoLogon><Password>\*SENSITIVE\*DATA\*DELETED\*</Password><Enabled>true</Enabled><LogonCount>1</LogonCount><Username>lab_admin</Username></AutoLogon><FirstLogonCommands>\r\n\ \ \ \ <SynchronousCommand>\r\n\ \ \ \ \ \ \ \ <CommandL
[child\ffast@client1] 2023-10-03 08:04:46Z [File] Red KeepPassOrKeyInCode R passw?o?r?d?>\s*[^\s<]+\s*< 66723 2023-05-31 06:05:09Z \\fs1.child.testlab.local\ADMIN$\Panther\WaSetup.xml loaded\ from\ E:\\ovf-env\.xml</Initialize></Event>\r\n<Event\ time="2023-05-31T06:04:14\.619Z"\ category="INFO"\ source="Environment"><WindowsProvisioningConfigurationSet><ComputerName>FS1</ComputerName><AdminPassword>\*SENSITIVE\*DATA\*DELETED\*</AdminPassword><ResetPasswordOnFirstLogon>false</ResetPasswordOnFirstLogon></WindowsProvisioningConfigurationSet></Event>\r\n<Event\ time="2023-05-31T06:04:14\.619Z"\ cate
[child\ffast@client1] 2023-10-03 08:04:46Z [File] Black KeepPassMgrsByExtension R ^\.kdbx$ 2110 2022-02-15 17:23:54Z \\fs1.child.testlab.local\TRANSFER\tmassie\passwords.kdbx .kdbx
[child\ffast@client1] 2023-10-03 08:04:46Z [File] Green KeepNameContainsGreen R passw 2110 2022-02-15 17:23:54Z \\fs1.child.testlab.local\TRANSFER\tmassie\passwords.kdbx passwords.kdbx
[child\ffast@client1] 2023-10-03 08:04:46Z [File] Red KeepPassOrKeyInCode R passw?o?r?d\s*=\s*[\'\"][^\'\"].... 18066 2022-02-15 17:59:02Z \\fs1.child.testlab.local\TRANSFER\rhuntley\mrng_backup.xml tDisplayThemes="false"\ InheritDisplayWallpaper="false"\ InheritEnableFontSmoothing="false"\ InheritEnableDesktopComposition="false"\ InheritDomain="false"\ InheritIcon="false"\ InheritPanel="false"\ InheritPassword="false"\ InheritPort="false"\ InheritProtocol="false"\ InheritPuttySession="false"\ InheritRedirectDiskDrives="false"\ InheritRedirectKeys="false"\ InheritRedirectPorts="false"\ InheritRedirectPrint
[child\ffast@client1] 2023-10-03 08:04:46Z [File] Yellow KeepDeployImageByExtension R ^\.wim$ 30578384 2023-05-05 11:26:24Z \\fs1.child.testlab.local\ADMIN$\Containers\serviced\WindowsDefenderApplicationGuard.wim .wim
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Red KeepPassOrKeyInCode R passw?o?r?d?>\s*[^\s<]+\s*< 6557 2023-05-30 23:04:18Z \\fs1.child.testlab.local\C$\Windows\Panther\unattend.xml "http://schemas\.microsoft\.com/2009/05/WindowsAzure/ServiceManagement"\ xmlns:wa="http://schemas\.microsoft\.com/windowsazure">\*SENSITIVE\*DATA\*DELETED\*</AdministratorPassword>\r\n</UserAccounts><AutoLogon><Password>\*SENSITIVE\*DATA\*DELETED\*</Password><Enabled>true</Enabled><LogonCount>1</LogonCount><Username>lab_admin</Username></AutoLogon><FirstLogonCommands>\r\n\ \ \ \ <SynchronousCommand>\r\n\ \ \ \ \ \ \ \ <CommandL
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Red KeepPassOrKeyInCode R passw?o?r?d?>\s*[^\s<]+\s*< 66723 2023-05-31 06:05:09Z \\fs1.child.testlab.local\C$\Windows\Panther\WaSetup.xml loaded\ from\ E:\\ovf-env\.xml</Initialize></Event>\r\n<Event\ time="2023-05-31T06:04:14\.619Z"\ category="INFO"\ source="Environment"><WindowsProvisioningConfigurationSet><ComputerName>FS1</ComputerName><AdminPassword>\*SENSITIVE\*DATA\*DELETED\*</AdminPassword><ResetPasswordOnFirstLogon>false</ResetPasswordOnFirstLogon></WindowsProvisioningConfigurationSet></Event>\r\n<Event\ time="2023-05-31T06:04:14\.619Z"\ cate
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Green KeepNameContainsGreen R passw 40717 2022-08-19 17:51:14Z \\fs1.child.testlab.local\ORG\HR\employees\password_letter_Adam_Amaker.docx password_letter_Adam_Amaker.docx
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Green KeepNameContainsGreen R passw 40503 2022-08-19 17:45:54Z \\fs1.child.testlab.local\ORG\HR\employees\password_letter_template.docx password_letter_template.docx
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Green KeepNameContainsGreen R credential 26232 2023-07-17 15:42:54Z \\fs1.child.testlab.local\C$\WindowsAzure\GuestAgent_2.7.41491.1095_2023-10-02_131817\Microsoft.WindowsAzure.Security.CredentialsManagement.Package.dll Microsoft.WindowsAzure.Security.CredentialsManagement.Package.dll
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Green KeepNameContainsGreen R passw 40923 2022-08-19 17:50:58Z \\fs1.child.testlab.local\ORG\HR\employees\password_letter_Elizabeth_Clifton.docx password_letter_Elizabeth_Clifton.docx
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Red KeepPsCredentials R -SecureString 1206 2022-08-19 18:00:44Z \\fs1.child.testlab.local\ORG\IT\utils\bulk_create_ad_users.ps1 \t\t\t-Surname\ \$Lastname\ `\r\n\t\t\t-Enabled\ \$True\ `\r\n\t\t\t-ChangePasswordAtLogon\ \$True\ `\r\n\t\t\t-DisplayName\ "\$Lastname,\ \$Firstname"\ `\r\n\t\t\t-Department\ \$Department\ `\r\n\t\t\t-Path\ \$OU\ `\r\n\t\t\t-AccountPassword\ \(convertto-securestring\ "<INSERT\ WELCOME\ PASSWORD\ HERE>"\ -AsPlainText\ -Force\)\r\n\t\ \ \ \ }\r\n}
[child\ffast@client1] 2023-10-03 08:04:49Z [File] Yellow KeepDbConnStringPw R connectionstring.{1,200}passw 629 2022-02-22 18:15:02Z \\fs1.child.testlab.local\ORG\IT\dbs\query_db.ps1 ge]\r\n\ \ \ \ ,\ des\.program_name\r\n\ \ \ \ ,\ des\.host_name\r\nFROM\ sys\.dm_exec_connections\ dec\r\nJOIN\ sys\.dm_exec_sessions\ des\ ON\ dec\.session_id\ =\ des\.session_id\r\nWHERE\ dec\.session_id\ =\ @@SPID'\r\n\r\nInvoke-Sqlcmd\ \ -ConnectionString\ "Data\ Source=\$SqlServer;\ User\ Id=\$SqlAuthLogin;\ Password\ =\$SqlAuthPw"\ -Query\ "\$Query"\ \ \|\ Format-Table
[child\ffast@client1] 2023-10-03 08:04:50Z [File] Black KeepPassMgrsByExtension R ^\.kdbx$ 2110 2022-02-15 17:23:54Z \\fs1.child.testlab.local\C$\Shares\TRANSFER\tmassie\passwords.kdbx .kdbx
[child\ffast@client1] 2023-10-03 08:04:50Z [File] Green KeepNameContainsGreen R passw 2110 2022-02-15 17:23:54Z \\fs1.child.testlab.local\C$\Shares\TRANSFER\tmassie\passwords.kdbx passwords.kdbx
[child\ffast@client1] 2023-10-03 08:04:50Z [File] Red KeepPassOrKeyInCode R passw?o?r?d\s*=\s*[\'\"][^\'\"].... 18066 2022-02-15 17:59:02Z \\fs1.child.testlab.local\C$\Shares\TRANSFER\rhuntley\mrng_backup.xml tDisplayThemes="false"\ InheritDisplayWallpaper="false"\ InheritEnableFontSmoothing="false"\ InheritEnableDesktopComposition="false"\ InheritDomain="false"\ InheritIcon="false"\ InheritPanel="false"\ InheritPassword="false"\ InheritPort="false"\ InheritProtocol="false"\ InheritPuttySession="false"\ InheritRedirectDiskDrives="false"\ InheritRedirectKeys="false"\ InheritRedirectPorts="false"\ InheritRedirectPrint
[child\ffast@client1] 2023-10-03 08:04:50Z [File] Yellow KeepDeployImageByExtension R ^\.wim$ 30578384 2023-05-05 11:26:24Z \\fs1.child.testlab.local\C$\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim .wim
[child\ffast@client1] 2023-10-03 08:04:51Z [File] Green KeepNameContainsGreen R credential 3417 2018-09-15 07:13:55Z \\fs1.child.testlab.local\C$\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml RoamingCredentialSettings.xml
[child\ffast@client1] 2023-10-03 08:04:51Z [File] Green KeepNameContainsGreen R passw 40717 2022-08-19 17:51:14Z \\fs1.child.testlab.local\C$\Shares\ORG\HR\employees\password_letter_Adam_Amaker.docx password_letter_Adam_Amaker.docx
[child\ffast@client1] 2023-10-03 08:04:51Z [File] Green KeepNameContainsGreen R passw 40923 2022-08-19 17:50:58Z \\fs1.child.testlab.local\C$\Shares\ORG\HR\employees\password_letter_Elizabeth_Clifton.docx password_letter_Elizabeth_Clifton.docx
[child\ffast@client1] 2023-10-03 08:04:51Z [File] Green KeepNameContainsGreen R passw 40503 2022-08-19 17:45:54Z \\fs1.child.testlab.local\C$\Shares\ORG\HR\employees\password_letter_template.docx password_letter_template.docx
[child\ffast@client1] 2023-10-03 08:04:51Z [File] Red KeepPsCredentials R -SecureString 1206 2022-08-19 18:00:44Z \\fs1.child.testlab.local\C$\Shares\ORG\IT\utils\bulk_create_ad_users.ps1 \t\t\t-Surname\ \$Lastname\ `\r\n\t\t\t-Enabled\ \$True\ `\r\n\t\t\t-ChangePasswordAtLogon\ \$True\ `\r\n\t\t\t-DisplayName\ "\$Lastname,\ \$Firstname"\ `\r\n\t\t\t-Department\ \$Department\ `\r\n\t\t\t-Path\ \$OU\ `\r\n\t\t\t-AccountPassword\ \(convertto-securestring\ "<INSERT\ WELCOME\ PASSWORD\ HERE>"\ -AsPlainText\ -Force\)\r\n\t\ \ \ \ }\r\n}
[child\ffast@client1] 2023-10-03 08:04:51Z [File] Yellow KeepDbConnStringPw R connectionstring.{1,200}passw 629 2022-02-22 18:15:02Z \\fs1.child.testlab.local\C$\Shares\ORG\IT\dbs\query_db.ps1 ge]\r\n\ \ \ \ ,\ des\.program_name\r\n\ \ \ \ ,\ des\.host_name\r\nFROM\ sys\.dm_exec_connections\ dec\r\nJOIN\ sys\.dm_exec_sessions\ des\ ON\ dec\.session_id\ =\ des\.session_id\r\nWHERE\ dec\.session_id\ =\ @@SPID'\r\n\r\nInvoke-Sqlcmd\ \ -ConnectionString\ "Data\ Source=\$SqlServer;\ User\ Id=\$SqlAuthLogin;\ Password\ =\$SqlAuthPw"\ -Query\ "\$Query"\ \ \|\ Format-Table