应急响应脚本
Windows 事件日志进行搜索的更好方法的解决方案。使用 Out-GridView,但如果需要,您可以使用 -raw 并导出到 csv/xls。也有原始搜索功能。
function Search-Event {
Param(
[Parameter(Mandatory=$False)]
[string]$search="*",
[Parameter(Mandatory=$False)]
[string]$field=$null,
[Parameter(Mandatory=$False)]
[string]$value=$null,
[Parameter(Mandatory=$False)]
[int]$eventid=$null,
[Parameter(Mandatory=$False)]
[string]$logname,
[Parameter(Mandatory=$False)]
[datetime]$starttime,
[Parameter(Mandatory=$False)]
[datetime]$endtime,
[Parameter(Mandatory=$False)]
[switch]$raw=$False
)
$filter = @{
logname=$logname;
}
if($eventid) {
$filter['id'] = $eventid
}
if($starttime) {
$filter['StartTime'] = $starttime
}
if($endtime) {
$filter['EndTime'] = $starttime
}
$events = Get-WinEvent -FilterHashtable $filter -ErrorAction Continue | Where-Object { $_.Message -like "*$search*" }
if($events.Length -gt 0) {
[xml[]]$xmlevents = $events | % { $_.ToXml() }
[PSCustomObject[]]$results = $null
ForEach($xmlevent in $xmlevents) {
$eventData = $xmlevent.Event.EventData.Data
$row = [PSCustomObject][ordered] @{
TimeCreated=(get-date -date $xmlevent.Event.System.TimeCreated.SystemTime).ToString("MM/dd/yyyy hh:mm:ss tt")
Id = $xmlevent.Event.System.EventId
}
foreach($ed in $eventData) {
$row | Add-Member -NotePropertyName $ed.Name -NotePropertyvalue $ed."#text"
}
$row | Add-Member -NotePropertyName "xmlEvent" -NotePropertyValue $xmlevent
$continue = $False
if($field -and $value) {
if($row.$field -like $value) {
$results += $row
}
}
else {
$results += $row
}
}
if($raw) {
$results
}
else {
$results | Out-GridView -Title "Search-Event Results"
}
}
else {
Write-Warning "No events were found that matched your search query."
}
}
非常适合威胁追踪和 DFIR。也适用于查找在命令行上传递的凭据。
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2021-09-03,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
