-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPowerSiem_System.ps1
92 lines (78 loc) · 3.03 KB
/
PowerSiem_System.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# from @ippsec twitter
# tail -f of Security Log
# Inspired SilentBreakSecurity DSOPS 1 Course - (SilentBreakSecurity has since been acquired by NetSPI)
# # for testing C# console app: create MySource EventSource in System:
# if (!EventLog.SourceExists("MySource", "desktop-8if3bit"))
# {
# EventLog.CreateEventSource("MySource", "System", "desktop-8if3bit");
# Console.WriteLine("Exiting, execute the application a second time to use the source.");
# return;
# }
# EventLog myLog = new EventLog();
# myLog.Source = "MySource";
# myLog.WriteEntry("Writing to event log.");
# Console.WriteLine("Message written to event log.");
# add log entries with PowerShell:
# Write-EventLog -LogName System -Source "MySource" -Message "hello System Eventlog" -EventId 2 -EntryType Error
$ErrorActionPreference = "SilentlyContinue"
Function Parse-Event {
# Credit: https://github.com/RamblingCookieMonster/PowerShell/blob/master/Get-WinEventData.ps1
param(
[Parameter(ValueFromPipeline=$true)] $Event
)
Process
{
foreach($entry in $Event)
{
$XML = [xml]$entry.ToXml()
$X = $XML.Event.EventData.Data
#
For( $i=0; $i -lt $X.count; $i++ ){
$Entry = Add-Member -InputObject $entry -MemberType NoteProperty -Name "$($X[$i].name)" -Value $X[$i].'#text' -Force -Passthru
}
$Entry
}
}
}
Function Write-Alert ($alerts) {
Write-Host "Type: $($alerts.Type)"
$alerts.Remove("Type")
foreach($alert in $alerts.GetEnumerator()) {
write-host "$($alert.Name): $($alert.Value)"
}
write-host "-----"
}
#$LogName = "Microsoft-Windows-Sysmon"
$LogName = "System"
$index = (Get-WinEvent -LogName $LogName -max 1).RecordID
while ($true)
{
Start-Sleep 1
$NewIndex = (Get-WinEvent -LogName $LogName -max 1).RecordID
if ($NewIndex -gt $Index) {
# We Have New Events.
$logs = Get-WinEvent -LogName $LogName -max ($NewIndex - $index) | sort RecordID
foreach($log in $logs) {
#$evt = $log | Parse-Event
#if ($evt.id -eq 1) {
# $output = @{}
# $output.add("Type", "Application-Log:")
## $output.add("PID", $evt.ProcessId)
# $output.add("Message", $evt.Message)
# write-alert $output
#}
$output = @{}
#$output.add("Logname", $LogName)
$output.add("logname", $log.ContainerLog)
$output.add("level", $log.LevelDisplayName)
$output.add("taskname", $log.TaskDisplayName)
$output.add("user", $log.UserId)
$output.add("id", $log.Id)
$output.add("time", $log.TimeCreated)
$output.add("message", $log.Message )
$output.add("messagePV", $log.Properties.Value )
Write-Alert $output
}
$index = $NewIndex
}
}