Get-winevent: Difference between revisions
Jump to navigation
Jump to search
No edit summary (change visibility) |
No edit summary (change visibility) |
||
Line 53: | Line 53: | ||
} | } | ||
</syntaxhighlight> | |||
=hunting logon events= | |||
<syntaxhighlight lang="powershell"> | |||
#get all properties of the user to be found | |||
get-aduser $samaccountname -properties * | fl * | |||
#search replication metadata for originating server of the last changed object (logondate or logontimestamp) | |||
get-aduser $samaccountname | Get-ADReplicationAttributeMetadata -IncludeDeletedObjects -server $servername | ft * -auto | |||
#query the found server | |||
$events = get-winevent -FilterHashtable @{logname="security";id=4624;data="$samaccountname"} -ComputerName $originatingserver | |||
#convert the event to something human-readable | |||
ForEach ($Event in $Events) { | |||
# Convert the event to XML | |||
$eventXML = [xml]$Event.ToXml() | |||
# Iterate through each one of the XML message properties | |||
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { | |||
# Append these as object properties | |||
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' | |||
} | |||
} | |||
#try backtracing the ipaddress (probably not possible because otherwise it would be in the event already) | |||
$events | select ipaddress -unique | foreach{ping -a $_.ipaddress} | |||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 10:37, 2 January 2017
$ID=@(5150..5159)
$list=@(5123,123)
Get-WinEvent -FilterHashtable @{logname='security'; id=4757}
Get-WinEvent -FilterHashtable @{logname='forwardedevents'; id=4757}
$all | where{$_.message -like ("*searchstring*")} | fl message
$test = Get-WinEvent -filterHashTable @{Logname='forwardedevents'; Data="searchstring"}
$test| where{@("4624","4634") -notcontains $_.id} | fl message
$table= Get-WinEvent -ComputerName localhost -FilterHashtable @{LogName='ForwardedEvents';id=4724}
$table | %{write-host $_.id $_.timecreated $_.properties[0].value $_.properties[4].value}
$Events = $fileserversecuritylogs
$events=get-winevent -path .\securitylog.evtx
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
$Events | export-csv "exportsecurity.csv" -delimiter ";" # out-gridview
Get-WinEvent -FilterHashtable @{path="C:\Users\mendel\Desktop\New folder\securitylog.evtx";Id=4624}
$allsecuritylogs = get-winevent -LogName security
foreach($event in $allsecuritylogs)
{
$var=[xml]$event.ToXml()
$authname = $var.event.eventdata.data[10]
$TargetUserName = $var.event.eventdata.data[5]
$Workstation = $var.event.eventdata.data[11]
$IpAddress = $var.event.eventdata.data[18]
if($authname.'#text' -like "*ntlm*")
{
$event
#$var.event.eventdata.data | fl
write-host $authname.'#text' $TargetUserName.'#text' $IpAddress.'#text' $Workstation.'#text'
}
}
hunting logon events
#get all properties of the user to be found
get-aduser $samaccountname -properties * | fl *
#search replication metadata for originating server of the last changed object (logondate or logontimestamp)
get-aduser $samaccountname | Get-ADReplicationAttributeMetadata -IncludeDeletedObjects -server $servername | ft * -auto
#query the found server
$events = get-winevent -FilterHashtable @{logname="security";id=4624;data="$samaccountname"} -ComputerName $originatingserver
#convert the event to something human-readable
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
#try backtracing the ipaddress (probably not possible because otherwise it would be in the event already)
$events | select ipaddress -unique | foreach{ping -a $_.ipaddress}