(ScriptBlockText:Add\-Exfiltration* OR ScriptBlockText:Add\-Persistence* OR ScriptBlockText:Add\-RegBackdoor* OR ScriptBlockText:Add\-RemoteRegBackdoor* OR ScriptBlockText:Add\-ScrnSaveBackdoor* OR ScriptBlockText:ConvertTo\-Rc4ByteStream* OR ScriptBlockText:Decrypt\-Hash* OR ScriptBlockText:Disable\-ADIDNSNode* OR ScriptBlockText:Do\-Exfiltration* OR ScriptBlockText:Enable\-ADIDNSNode* OR ScriptBlockText:Enabled\-DuplicateToken* OR ScriptBlockText:Exploit\-Jboss* OR ScriptBlockText:Export\-ADRCSV* OR ScriptBlockText:Export\-ADRExcel* OR ScriptBlockText:Export\-ADRHTML* OR ScriptBlockText:Export\-ADRJSON* OR ScriptBlockText:Export\-ADRXML* OR ScriptBlockText:Find\-Fruit* OR ScriptBlockText:Find\-GPOLocation* OR ScriptBlockText:Find\-TrustedDocuments* OR ScriptBlockText:Get\-ADIDNSNodeAttribute* OR ScriptBlockText:Get\-ADIDNSNodeOwner* OR ScriptBlockText:Get\-ADIDNSNodeTombstoned* OR ScriptBlockText:Get\-ADIDNSPermission* OR ScriptBlockText:Get\-ADIDNSZone* OR ScriptBlockText:Get\-ChromeDump* OR ScriptBlockText:Get\-ClipboardContents* OR ScriptBlockText:Get\-FoxDump* OR ScriptBlockText:Get\-GPPPassword* OR ScriptBlockText:Get\-IndexedItem* OR ScriptBlockText:Get\-KerberosAESKey* OR ScriptBlockText:Get\-Keystrokes* OR ScriptBlockText:Get\-LSASecret* OR ScriptBlockText:Get\-PassHashes* OR ScriptBlockText:Get\-RegAlwaysInstallElevated* OR ScriptBlockText:Get\-RegAutoLogon* OR ScriptBlockText:Get\-RemoteBootKey* OR ScriptBlockText:Get\-RemoteCachedCredential* OR ScriptBlockText:Get\-RemoteLocalAccountHash* OR ScriptBlockText:Get\-RemoteLSAKey* OR ScriptBlockText:Get\-RemoteMachineAccountHash* OR ScriptBlockText:Get\-RemoteNLKMKey* OR ScriptBlockText:Get\-RickAstley* OR ScriptBlockText:Get\-SecurityPackages* OR ScriptBlockText:Get\-ServiceFilePermission* OR ScriptBlockText:Get\-ServicePermission* OR ScriptBlockText:Get\-ServiceUnquoted* OR ScriptBlockText:Get\-SiteListPassword* OR ScriptBlockText:Get\-System* OR ScriptBlockText:Get\-TimedScreenshot* OR ScriptBlockText:Get\-UnattendedInstallFile* OR ScriptBlockText:Get\-Unconstrained* OR ScriptBlockText:Get\-USBKeystrokes* OR ScriptBlockText:Get\-VaultCredential* OR ScriptBlockText:Get\-VulnAutoRun* OR ScriptBlockText:Get\-VulnSchTask* OR ScriptBlockText:Grant\-ADIDNSPermission* OR ScriptBlockText:Gupt\-Backdoor* OR ScriptBlockText:Invoke\-ACLScanner* OR ScriptBlockText:Invoke\-ADRecon* OR ScriptBlockText:Invoke\-ADSBackdoor* OR ScriptBlockText:Invoke\-AgentSmith* OR ScriptBlockText:Invoke\-AllChecks* OR ScriptBlockText:Invoke\-ARPScan* OR ScriptBlockText:Invoke\-AzureHound* OR ScriptBlockText:Invoke\-BackdoorLNK* OR ScriptBlockText:Invoke\-BadPotato* OR ScriptBlockText:Invoke\-BetterSafetyKatz* OR ScriptBlockText:Invoke\-BypassUAC* OR ScriptBlockText:Invoke\-Carbuncle* OR ScriptBlockText:Invoke\-Certify* OR ScriptBlockText:Invoke\-ConPtyShell* OR ScriptBlockText:Invoke\-CredentialInjection* OR ScriptBlockText:Invoke\-DAFT* OR ScriptBlockText:Invoke\-DCSync* OR ScriptBlockText:Invoke\-DinvokeKatz* OR ScriptBlockText:Invoke\-DllInjection* OR ScriptBlockText:Invoke\-DNSUpdate* OR ScriptBlockText:Invoke\-DNSExfiltrator* OR ScriptBlockText:Invoke\-DomainPasswordSpray* OR ScriptBlockText:Invoke\-DowngradeAccount* OR ScriptBlockText:Invoke\-EgressCheck* OR ScriptBlockText:Invoke\-Eyewitness* OR ScriptBlockText:Invoke\-FakeLogonScreen* OR ScriptBlockText:Invoke\-Farmer* OR ScriptBlockText:Invoke\-Get\-RBCD\-Threaded* OR ScriptBlockText:Invoke\-Gopher* OR ScriptBlockText:Invoke\-Grouper* OR ScriptBlockText:Invoke\-HandleKatz* OR ScriptBlockText:Invoke\-ImpersonatedProcess* OR ScriptBlockText:Invoke\-ImpersonateSystem* OR ScriptBlockText:Invoke\-InteractiveSystemPowerShell* OR ScriptBlockText:Invoke\-Internalmonologue* OR ScriptBlockText:Invoke\-Inveigh* OR ScriptBlockText:Invoke\-InveighRelay* OR ScriptBlockText:Invoke\-KrbRelay* OR ScriptBlockText:Invoke\-LdapSignCheck* OR ScriptBlockText:Invoke\-Lockless* OR ScriptBlockText:Invoke\-MalSCCM* OR ScriptBlockText:Invoke\-Mimikatz* OR ScriptBlockText:Invoke\-Mimikittenz* OR ScriptBlockText:Invoke\-MITM6* OR ScriptBlockText:Invoke\-NanoDump* OR ScriptBlockText:Invoke\-NetRipper* OR ScriptBlockText:Invoke\-Nightmare* OR ScriptBlockText:Invoke\-NinjaCopy* OR ScriptBlockText:Invoke\-OfficeScrape* OR ScriptBlockText:Invoke\-OxidResolver* OR ScriptBlockText:Invoke\-P0wnedshell* OR ScriptBlockText:Invoke\-Paranoia* OR ScriptBlockText:Invoke\-PortScan* OR ScriptBlockText:Invoke\-PoshRatHttp* OR ScriptBlockText:Invoke\-PostExfil* OR ScriptBlockText:Invoke\-PowerDump* OR ScriptBlockText:Invoke\-PowerDPAPI* OR ScriptBlockText:Invoke\-PowerShellTCP* OR ScriptBlockText:Invoke\-PowerShellWMI* OR ScriptBlockText:Invoke\-PPLDump* OR ScriptBlockText:Invoke\-PsExec* OR ScriptBlockText:Invoke\-PSInject* OR ScriptBlockText:Invoke\-PsUaCme* OR ScriptBlockText:Invoke\-ReflectivePEInjection* OR ScriptBlockText:Invoke\-ReverseDNSLookup* OR ScriptBlockText:Invoke\-Rubeus* OR ScriptBlockText:Invoke\-RunAs* OR ScriptBlockText:Invoke\-SafetyKatz* OR ScriptBlockText:Invoke\-SauronEye* OR ScriptBlockText:Invoke\-SCShell* OR ScriptBlockText:Invoke\-Seatbelt* OR ScriptBlockText:Invoke\-ServiceAbuse* OR ScriptBlockText:Invoke\-ShadowSpray* OR ScriptBlockText:Invoke\-Sharp* OR ScriptBlockText:Invoke\-Shellcode* OR ScriptBlockText:Invoke\-SMBScanner* OR ScriptBlockText:Invoke\-Snaffler* OR ScriptBlockText:Invoke\-Spoolsample* OR ScriptBlockText:Invoke\-SpraySinglePassword* OR ScriptBlockText:Invoke\-SSHCommand* OR ScriptBlockText:Invoke\-StandIn* OR ScriptBlockText:Invoke\-StickyNotesExtract* OR ScriptBlockText:Invoke\-SystemCommand* OR ScriptBlockText:Invoke\-Tasksbackdoor* OR ScriptBlockText:Invoke\-Tater* OR ScriptBlockText:Invoke\-Thunderfox* OR ScriptBlockText:Invoke\-ThunderStruck* OR ScriptBlockText:Invoke\-TokenManipulation* OR ScriptBlockText:Invoke\-Tokenvator* OR ScriptBlockText:Invoke\-TotalExec* OR ScriptBlockText:Invoke\-UrbanBishop* OR ScriptBlockText:Invoke\-UserHunter* OR ScriptBlockText:Invoke\-VoiceTroll* OR ScriptBlockText:Invoke\-Whisker* OR ScriptBlockText:Invoke\-WinEnum* OR ScriptBlockText:Invoke\-winPEAS* OR ScriptBlockText:Invoke\-WireTap* OR ScriptBlockText:Invoke\-WmiCommand* OR ScriptBlockText:Invoke\-WMIExec* OR ScriptBlockText:Invoke\-WScriptBypassUAC* OR ScriptBlockText:Invoke\-Zerologon* OR ScriptBlockText:MailRaider* OR ScriptBlockText:New\-ADIDNSNode* OR ScriptBlockText:New\-HoneyHash* OR ScriptBlockText:New\-InMemoryModule* OR ScriptBlockText:New\-SOASerialNumberArray* OR ScriptBlockText:Out\-Minidump* OR ScriptBlockText:PowerBreach* OR ScriptBlockText:powercat\ * OR ScriptBlockText:PowerUp* OR ScriptBlockText:PowerView* OR ScriptBlockText:Remove\-ADIDNSNode* OR ScriptBlockText:Remove\-Update* OR ScriptBlockText:Rename\-ADIDNSNode* OR ScriptBlockText:Revoke\-ADIDNSPermission* OR ScriptBlockText:Set\-ADIDNSNode* OR ScriptBlockText:Show\-TargetScreen* OR ScriptBlockText:Start\-CaptureServer* OR ScriptBlockText:Start\-Dnscat2* OR ScriptBlockText:Start\-WebcamRecorder* OR ScriptBlockText:VolumeShadowCopyTools*) (-(ScriptBlockText:Get\-SystemDriveInfo* OR ScriptBlockText:C\:\\ProgramData\\Amazon\\EC2\-Windows\\Launch\\Module\\*))