Get-winevent: Difference between revisions
Jump to navigation
Jump to search
No edit summary (change visibility) |
No edit summary (change visibility) |
||
Line 1: | Line 1: | ||
=interactive logons= | |||
<syntaxhighlight lang="powershell"> | |||
$Events = Get-WinEvent -filterHashtable @{LogName='Security'; Id=4624} # Data="10"} | |||
ForEach ($Event in $Events) { | |||
# Convert the event to XML | |||
$eventXML = [xml]$Event.ToXml() | |||
# Iterate through each one of the XML message properties | |||
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { | |||
# Append these as object properties | |||
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' | |||
} | |||
} | |||
#$events | select TargetUserName,IpAddress,WorkstationName,TimeCreated | ft # | out-gridview | |||
$filter1 = $events | ?{$_.targetusername -ne "qsdf"} | |||
$filter2 = $filter1 | ?{$_.targetusername -ne "qsdf"} | |||
$filter3 = $filter2 | ?{$_.targetusername -ne "qsdf$"} | |||
$filter4 = $filter3 | ?{$_.targetusername -ne "LOCAL SERVICE"} | |||
$filter5 = $filter4 | ?{$_.targetusername -ne "NETWORK SERVICE"} | |||
$filter6 = $filter5 | ?{$_.targetusername -ne "SYSTEM"} | |||
$filter6 | select TargetUserName,IpAddress,WorkstationName,TimeCreated | ft | |||
$events | group-object targetusername | |||
</syntaxhighlight> | |||
=examples= | |||
<syntaxhighlight lang="powershell"> | <syntaxhighlight lang="powershell"> | ||
$ID=@(5150..5159) | $ID=@(5150..5159) |
Revision as of 16:48, 24 February 2017
interactive logons
$Events = Get-WinEvent -filterHashtable @{LogName='Security'; Id=4624} # Data="10"}
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
#$events | select TargetUserName,IpAddress,WorkstationName,TimeCreated | ft # | out-gridview
$filter1 = $events | ?{$_.targetusername -ne "qsdf"}
$filter2 = $filter1 | ?{$_.targetusername -ne "qsdf"}
$filter3 = $filter2 | ?{$_.targetusername -ne "qsdf$"}
$filter4 = $filter3 | ?{$_.targetusername -ne "LOCAL SERVICE"}
$filter5 = $filter4 | ?{$_.targetusername -ne "NETWORK SERVICE"}
$filter6 = $filter5 | ?{$_.targetusername -ne "SYSTEM"}
$filter6 | select TargetUserName,IpAddress,WorkstationName,TimeCreated | ft
$events | group-object targetusername
examples
$ID=@(5150..5159)
$list=@(5123,123)
Get-WinEvent -FilterHashtable @{logname='security'; id=4757}
Get-WinEvent -FilterHashtable @{logname='forwardedevents'; id=4757}
$all | where{$_.message -like ("*searchstring*")} | fl message
$test = Get-WinEvent -filterHashTable @{Logname='forwardedevents'; Data="searchstring"}
$test| where{@("4624","4634") -notcontains $_.id} | fl message
$table= Get-WinEvent -ComputerName localhost -FilterHashtable @{LogName='ForwardedEvents';id=4724}
$table | %{write-host $_.id $_.timecreated $_.properties[0].value $_.properties[4].value}
$Events = $fileserversecuritylogs
$events=get-winevent -path .\securitylog.evtx
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
$Events | export-csv "exportsecurity.csv" -delimiter ";" # out-gridview
Get-WinEvent -FilterHashtable @{path="C:\Users\mendel\Desktop\New folder\securitylog.evtx";Id=4624}
$allsecuritylogs = get-winevent -LogName security
foreach($event in $allsecuritylogs)
{
$var=[xml]$event.ToXml()
$authname = $var.event.eventdata.data[10]
$TargetUserName = $var.event.eventdata.data[5]
$Workstation = $var.event.eventdata.data[11]
$IpAddress = $var.event.eventdata.data[18]
if($authname.'#text' -like "*ntlm*")
{
$event
#$var.event.eventdata.data | fl
write-host $authname.'#text' $TargetUserName.'#text' $IpAddress.'#text' $Workstation.'#text'
}
}
hunting logon events
#get all properties of the user to be found
get-aduser $samaccountname -properties * | fl *
#search replication metadata for originating server of the last changed object (logondate or logontimestamp)
get-aduser $samaccountname | Get-ADReplicationAttributeMetadata -IncludeDeletedObjects -server $servername | ft * -auto
#query the found server
$events = get-winevent -FilterHashtable @{logname="security";id=4624;data="$samaccountname"} -ComputerName $originatingserver
#convert the event to something human-readable
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
#try backtracing the ipaddress (probably not possible because otherwise it would be in the event already)
$events | select ipaddress -unique | foreach{ping -a $_.ipaddress}