Skip to content

Instantly share code, notes, and snippets.

@nullbind
Created May 1, 2019 17:30
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save nullbind/da4829314e21070a15e4c79e6fc43109 to your computer and use it in GitHub Desktop.
Invoke-HuntEvents.ps1
function Invoke-HuntEvents {
# Set event ids
$x = "4768,4662,1917,216,8224,20001,106,4720,4732"
# Parse into list
$y = $x.Split(',')
# Look up events
$y | % {
$eventid = $_
#Write-Output "Searching for event id $_"
# Check event for each event log
Get-EventLog -list | select log -ExpandProperty log |
foreach {
$logname=$_;
try{
#Get-EventLog -Log "$logname" -ErrorAction SilentlyContinue | where {$_.eventID -eq $eventid} - super slow
$results += Get-WinEvent -FilterHashtable @{logname="$logname"; id=$eventid} -ErrorAction SilentlyContinue
}catch{
#Write-Output "The event $eventid was not found in the log $logname."
}
}
}
$results | select MachineName,LogName,ProviderName,Id,ActivityId,Bookmark,ContainerLog,Keywords,KeywordsDisplayNames,Level,LevelDisplayName,MatchedQueryIds,Opcode,OpcodeDisplayName,ProcessId,Properties,ProviderId,Qualifiers,RecordId,RelatedActivityId,Task,TaskDisplayName,ThreadId,TimeCreated,UserId,Version,Message
}
Invoke-HuntEvents
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment