Created
April 8, 2022 06:48
-
-
Save JohanSelmosson/3f4ceaec5696a9dbedc7ec7b61d3e76e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function GetFileAccessEvents { | |
| $events = Get-WinEvent -FilterHashtable @{ | |
| LogName = 'ForwardedEvents' | |
| Id = 4663 | |
| StartTime = (Get-Date).AddHours(-24) | |
| } | |
| $AccessTypes = @{ | |
| [int]4416 = 'ReadData_ListDirectory' | |
| [int]4417 = 'WriteData_AddFile' | |
| [int]4418 = 'AppendData_AddSubdirectory_CreatePipeInstance' | |
| [int]4419 = 'ReadEA' | |
| [int]4420 = 'WriteEA' | |
| [int]4421 = 'Execute_Traverse' | |
| [int]4422 = 'DeleteChild' | |
| [int]4423 = 'ReadAttributes' | |
| [int]4424 = 'WriteAttributes' | |
| [int]1537 = 'DELETE' | |
| [int]1538 = 'READ_CONTROL' | |
| [int]1539 = 'WRITE_DAC' | |
| [int]1540 = 'WRITE_OWNER' | |
| [int]1541 = 'SYNCHRONIZE' | |
| [int]1542 = 'ACCESS_SYS_SEC' | |
| } | |
| #om man vill ha ut info om vilken ip-adress som anropet kom från så kan man kombinera info från eventid 5140 med 4663 | |
| #ipcache är en hashtabell där relationen mellan en subjectlogonid och en ip-adress lagras. | |
| #$ipCache = @{} | |
| foreach ($event in $events | Sort TimeCreated) { | |
| [xml]$ex = $event.ToXML() | |
| $dataHt = @{} | |
| $ex.Event.EventData.Data | % {$dataHt[$_.Name] = $_.'#text'} | |
| #avkommentera nedan för att göra en koppling mellan ip-adresser i 5140 event med SubjectLogonID i 4663 | |
| #if ($event.Id -eq 5140) { | |
| # $ipCache[$dataHt['SubjectLogonId']] = $dataHt['IpAddress'] | |
| #} else { | |
| # $dataHt['IpAddress'] = $ipCache[$dataHt['SubjectLogonId']] | |
| #} | |
| if ($dataHt['ShareName'] -eq '\\*\IPC$') {continue} | |
| $AccessTypeName = foreach ($stringMatch in ($dataHt['AccessList'] | Select-String -Pattern '\%\%(?<id>\d{4})' -AllMatches)) { | |
| foreach ($group in $stringMatch.Matches.Groups | ?{$_.Name -eq 'id'}) { | |
| $AccessTypes[[int]$group.Value] | |
| } | |
| } | |
| [pscustomobject]@{ | |
| Time = $event.TimeCreated | |
| EventId = $event.Id | |
| LogonID = $dataHt['SubjectLogonId'] | |
| Path = "$($dataHt['ObjectName'])".trim('\??\') | |
| #Share = $dataHt['ShareName'] #endast relevant för 5140 events | |
| User = $dataHt['SubjectUserName'] | |
| UserDomain = $dataHt['SubjectDomainName'] | |
| #IpAddress = $dataHt['IpAddress'] #endast relevant om 5140 events också hanteras. | |
| AccessType = $AccessTypeName -join ', ' | |
| } | |
| } | |
| } | |
| GetFileAccessEvents | Out-GridView |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment