stackoom
  简体   繁体   中英

Powershell - Query event 4688 for command line text

 原文  2016-04-16 04:40:19       security/ powershell/ event-log

Question

Regarding powershell and Event4688 where it's now possible to log text entered into a windows command line.

Is there a way to use the powershell Get-WinEvent -FilterHashTable to show me what was entered in 'Process Command Line" of the event logs? This would be the actual text someone entered into the command line.

1 answers

solution1
 2 ACCPTED  2016-04-16 11:25:12

You can access the properties in an eventmessage using Properties , but you need to use a sample event so you can compare the message and the Properties -array to find out which index is the right field. I think it is the 9th (index 8), but you should verify.

List properties (values in message): 

(Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} -MaxEvents 1).Properties

Value                          
-----                          
S-1-5-18                       
-                              
-                              
999                            
920                            
C:\Windows\System32\lsass.exe  
%%1936                         
784                            
           #I believe this is CommandLine                       
S-1-0-0                        
-                              
-                              
0                              
C:\Windows\System32\wininit.exe
S-1-16-16384

Using Select-Object , you can create your own object to extract ex. the TimeCreated and the CommandLine (using custom/calculated properties): 

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}

#I didn't have any values in my events

TimeCreated         NewProcessName                   CommandLine
-----------         --------------                   -----------
09.04.2016 00:56:04 C:\Windows\System32\lsass.exe               
09.04.2016 00:56:04 C:\Windows\System32\services.exe            
09.04.2016 00:56:04 C:\Windows\System32\winlogon.exe            
09.04.2016 00:56:04 C:\Windows\System32\wininit.exe             
09.04.2016 00:56:04 C:\Windows\System32\csrss.exe

You could also use XML to access the properties, but this would be more useful if you were listing different eventids (were the order in the properties-array would be different). Ex: 

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} | Select-Object TimeCreated, @{name='CommandLine';expression={ (([xml]$_.ToXml()).Event.EventData.Data | Where-Object { $_.Name -eq 'CommandLine' })."#text" }}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Obtaining text output from Fortify sourceanalyzer command line Replace Text using powershell Waiting for a specific event in Powershell Fortify command line usage Command line showing nothing no output Powershell for text to CSV conversion is not working Command line utility in Unix to output hashes Hiding password field in command line Change SVN password command line Preventing Command Line Injection Attacks
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM