phantinuss/grep-sysmon-win-eventlog-example.ps1

Last active December 2, 2021 12:56

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/phantinuss/883266109d52259b488dca578b4b2fe8.js"></script>
Save phantinuss/883266109d52259b488dca578b4b2fe8 to your computer and use it in GitHub Desktop.

Download ZIP

How to grep Windows Event Log / Sysmon

Raw

grep-sysmon-win-eventlog-example.ps1

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { $_.TimeCreated -ge (Get-Date) - (New-TimeSpan -Day 1) } | where Id -EQ 1 | where Message -match "rundll32" | Format-List -Property Message | Out-String -Stream | Select-String -Pattern " CommandLine:"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment