In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events. Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons. In Part D, I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis. In Part E (below), I tie in additional auditing events, specifically connections permitted by the Windows Filtering Platform:
'Auditpol' allows the administrator to add additional events to be collected by the Event Viewer. To see all potential categories:
auditpol /get /category:*
[partial list:]
System audit policy
Category/Subcategory Setting
System
Security System Extension Success
System Integrity Success and Failure
IPsec Driver Success
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success
...
A quick trick to set all categories and their subcategories for auditing:
auditpol /set /category:*
After some time, we query the Security log and notice event 5156 for further monitoring:
get-winevent Security -max 100 | ft -auto -wrap | more
7/14/2011 6:59:55 PM Microsoft-Windows-Security-Auditing 5156 The Windows Filtering Platform has permitted a connection.
Application Information:Process ID: 3588Application Name: \device\harddiskvolume3\program files (x86)\opera\opera.exe...
Network Information:Direction: OutboundSource Address: 192.168.0.11Source Port: 51199Destination Address: 199.59.149.243Destination Port: 80Protocol: 6
$5156=get-winevent -filterhashtable @{logname='security';id=5156} -max 1000
foreach ($event in $5156) {($event | Select TimeCreated,Message | fl * | findstr /G:Search5156.lst) -replace " ","" -join "," | out-file -append 5156.csv}
where Search5156.lst:
TimeCreated
Source
Destination
Now we can add some headers and create some filters in our spreadsheet:
0 komentar:
Posting Komentar