应急响应脚本

2021-09-18 11:48:07 浏览数 (2)

Windows 事件日志进行搜索的更好方法的解决方案。使用 Out-GridView,但如果需要,您可以使用 -raw 并导出到 csv/xls。也有原始搜索功能。

代码语言:javascript复制
function Search-Event {
      

      
    Param(
      

      
        [Parameter(Mandatory=$False)]
      

      
        [string]$search="*",
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [string]$field=$null,
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [string]$value=$null,
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [int]$eventid=$null,
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [string]$logname,
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [datetime]$starttime,
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [datetime]$endtime,
      

      


      

      
        [Parameter(Mandatory=$False)]
      

      
        [switch]$raw=$False
      

      
    )
      

      


      

      
    $filter = @{
      

      
        logname=$logname;
      

      
    }
      

      


      

      
    if($eventid) {
      

      
        $filter['id'] = $eventid
      

      
    }
      

      


      

      
    if($starttime) {
      

      
        $filter['StartTime'] = $starttime
      

      
    }
      

      
    if($endtime) {
      

      
        $filter['EndTime'] = $starttime
      

      
    }
      

      


      

      
    $events = Get-WinEvent -FilterHashtable $filter -ErrorAction Continue | Where-Object { $_.Message -like "*$search*" }
      

      


      

      


      

      
    if($events.Length -gt 0) {
      

      
        [xml[]]$xmlevents = $events | % { $_.ToXml() }
      

      
        [PSCustomObject[]]$results = $null
      

      


      

      
                ForEach($xmlevent in $xmlevents) {
      

      
                        $eventData = $xmlevent.Event.EventData.Data            
      

      
                        $row = [PSCustomObject][ordered] @{
      

      
                                TimeCreated=(get-date -date $xmlevent.Event.System.TimeCreated.SystemTime).ToString("MM/dd/yyyy hh:mm:ss tt")
      

      
                                Id = $xmlevent.Event.System.EventId
      

      
                        }
      

      
                        foreach($ed in $eventData) {
      

      
                                $row | Add-Member -NotePropertyName $ed.Name -NotePropertyvalue $ed."#text"
      

      
                        }
      

      
            $row | Add-Member -NotePropertyName "xmlEvent" -NotePropertyValue $xmlevent
      

      
            $continue = $False
      

      
            if($field -and $value) {
      

      
                if($row.$field -like $value) {
      

      
                    $results  = $row
      

      
                }
      

      
            }
      

      
            else {
      

      
                $results  = $row
      

      
            }                        
      

      
                }
      

      
                if($raw) {
      

      
                        $results
      

      
                }
      

      
                else {
      

      
                        $results | Out-GridView -Title "Search-Event Results"
      

      
                }
      

      
    }
      

      
    else {
      

      
        Write-Warning "No events were found that matched your search query."
      

      
    }
           
}
      

非常适合威胁追踪和 DFIR。也适用于查找在命令行上传递的凭据。

0 人点赞