Sök i Eventlog med PS

Details: Category: PowerShell

Från Sysmon

Network connection

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 3 -and $_.Message -like "*Destinationport: 53*"}|Select-Object Message | Select-Object -First 10 | fl

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 3 -and $_.Message -like "*DestinationIp: 192.168.0.*"}|Select-Object Message | Select-Object -First 10 | fl

DNS query

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 22 -and $_.Message -like "*QueryName: *pdaklubben*"}|Select-Object Message | Select-Object -First 10 | fl

Process create

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 1 -and $_.Message -like "*powershell.exe*"}|Select-Object Message | Select-Object -First 10 | fl

Från Systemlogg

Get-WinEvent -LogName System | where {$_.ID -eq 1001} |Select-Object TimeCreated,Message | fl

och så vidare