Windows 事件查看器 xPath 查询不适用于某些字符串。转义字符?
Windows Event Viewer xPath query doesn't work on certain strings. Escape characters?
我正在尝试使用 xPath(在 PowerShell 中,在事件查看器 UI 中)从 Windows 安全日志中 return 一个事件日志条目,但没有成功。
此查询无效,因为它 return 的零结果事件虽然在日志中有适当的条目:
Get-WinEvent -FilterXPath "*[EventData[Data[@Name='CommandLine']='-ExecutionPolicy ByPass -File Do-Something.ps1']]" -LogName Security
查询的语法似乎很好,因为更改查询值将 return 预期结果:
Get-WinEvent -FilterXPath "*[EventData[Data[@Name='CommandLine']='\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1']]" -LogName Security
如果格式为 -FilterXML,结果相同。
替代查询策略有效,但对于大日志根本没有效率:
Get-WinEvent -LogName Security | Where-Object -Property Message -match '-ExecutionPolicy ByPass -File Do-Something.ps1'
看来 xPath 查询值中有些东西不太符合标准。我不知道那是什么。我错过了什么?
这是所需命中的事件数据:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-02-19T15:17:13.982780900Z" />
<EventRecordID>SCRUBBED</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="256" />
<Channel>Security</Channel>
<Computer>SCRUBBED</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">SCRUBBED</Data>
<Data Name="SubjectUserName">SCRUBBED</Data>
<Data Name="SubjectDomainName">SCRUBBED</Data>
<Data Name="SubjectLogonId">SCRUBBED</Data>
<Data Name="NewProcessId">SCRUBBED</Data>
<Data Name="NewProcessName">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="TokenElevationType">%%1937</Data>
<Data Name="ProcessId">0x41c</Data>
<Data Name="CommandLine">-ExecutionPolicy ByPass -File Do-Something.ps1</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\gpscript.exe</Data>
<Data Name="MandatoryLabel">SCRUBBED</Data>
</EventData>
</Event>
这是另一个有效但我不感兴趣的点击的事件数据:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-02-19T15:21:21.753690000Z" />
<EventRecordID>SCRUBBED</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="96" />
<Channel>Security</Channel>
<Computer>SCRUBBED</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">SCRUBBED</Data>
<Data Name="SubjectUserName">SCRUBBED</Data>
<Data Name="SubjectDomainName">SCRUBBED</Data>
<Data Name="SubjectLogonId">SCRUBBED</Data>
<Data Name="NewProcessId">SCRUBBED</Data>
<Data Name="NewProcessName">C:\Windows\System32\conhost.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x690</Data>
<Data Name="CommandLine">\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Program Files\Windows Defender\MpCmdRun.exe</Data>
<Data Name="MandatoryLabel">SCRUBBED</Data>
</EventData>
</Event>
在此处启用命令行进程审核以重现此内容:https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
首先搜索 NewProcessName:
$a = Get-WinEvent -FilterXPath "*[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']]" Security
并查看 xml:
$a[1] | foreach { $xml = [xml]$_.toxml(); $xml.event.eventdata.data }
Name #text
---- -----
SubjectUserSid S-1-5-21-1528843147-373324174-1919417755-1001
SubjectUserName admin
SubjectDomainName DESKTOP-JQ7B7RP
SubjectLogonId 0x31db1a
NewProcessId 0x7c4
NewProcessName C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TokenElevationType %%1937
ProcessId 0x19d4
CommandLine -ExecutionPolicy ByPass -File do-something.ps1
TargetUserSid S-1-0-0
TargetUserName -
TargetDomainName -
TargetLogonId 0x0
ParentProcessName C:\Windows\System32\gpscript.exe
MandatoryLabel S-1-16-12288
看起来在 CommandLine 属性 的开头和结尾有 st运行gely a space。 xml 文本在事件查看器中被修剪。 space 仍然存在 $xml.save('file.xml')。
$a[1] | foreach { $xml = [xml]$_.toxml(); $xml.event.eventdata.data } |
where '#text' -match bypass | % { 'x' + $_.'#text' + 'x' }
x -ExecutionPolicy ByPass -File do-something.ps1 x
我运行这个脚本作为组策略powershell登录脚本。
因此在添加额外的 spaces 之后,嵌套谓词 xpath 变为:
Get-WinEvent -FilterXPath "*[EventData[Data[@Name='CommandLine']=' -executionpolicy bypass -file do-something.ps1 ']]" Security
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2/21/2020 3:16:13 PM 4688 Information A new process has been created....
2/21/2020 3:16:06 PM 4688 Information A new process has been created....
2/21/2020 3:03:24 PM 4688 Information A new process has been created....
2/21/2020 2:54:16 PM 4688 Information A new process has been created....
替代 "nested" xpath 表达式。由于某些原因,text() 或 substring() 等函数不能与 windows 日志或“//”或“/Event”一起使用。
get-winevent security -FilterXPath "*/EventData/Data[@Name='CommandLine']=' -ExecutionPolicy ByPass -File Do-Something.ps1 '"
get-winevent security -FilterXPath "*/*/*[@Name='CommandLine']=' -ExecutionPolicy ByPass -File Do-Something.ps1 '"
get-winevent security -FilterXPath "Event/EventData/Data[@Name='CommandLine']=' -ExecutionPolicy ByPass -File Do-Something.ps1 '"
在 powershell 6 及更高版本中,这可以减少为:
get-winevent @{logname = 'security'; commandline = ' -executionpolicy bypass -file do-something.ps1 ' }
尝试看看是否有效:
Get-WinEvent -LogName Security -FilterXPath "//Event//Data[@Name='CommandLine'][text()='-ExecutionPolicy ByPass -File Do-Something.ps1']"
我正在尝试使用 xPath(在 PowerShell 中,在事件查看器 UI 中)从 Windows 安全日志中 return 一个事件日志条目,但没有成功。
此查询无效,因为它 return 的零结果事件虽然在日志中有适当的条目:
Get-WinEvent -FilterXPath "*[EventData[Data[@Name='CommandLine']='-ExecutionPolicy ByPass -File Do-Something.ps1']]" -LogName Security
查询的语法似乎很好,因为更改查询值将 return 预期结果:
Get-WinEvent -FilterXPath "*[EventData[Data[@Name='CommandLine']='\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1']]" -LogName Security
如果格式为 -FilterXML,结果相同。
替代查询策略有效,但对于大日志根本没有效率:
Get-WinEvent -LogName Security | Where-Object -Property Message -match '-ExecutionPolicy ByPass -File Do-Something.ps1'
看来 xPath 查询值中有些东西不太符合标准。我不知道那是什么。我错过了什么?
这是所需命中的事件数据:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-02-19T15:17:13.982780900Z" />
<EventRecordID>SCRUBBED</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="256" />
<Channel>Security</Channel>
<Computer>SCRUBBED</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">SCRUBBED</Data>
<Data Name="SubjectUserName">SCRUBBED</Data>
<Data Name="SubjectDomainName">SCRUBBED</Data>
<Data Name="SubjectLogonId">SCRUBBED</Data>
<Data Name="NewProcessId">SCRUBBED</Data>
<Data Name="NewProcessName">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="TokenElevationType">%%1937</Data>
<Data Name="ProcessId">0x41c</Data>
<Data Name="CommandLine">-ExecutionPolicy ByPass -File Do-Something.ps1</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\gpscript.exe</Data>
<Data Name="MandatoryLabel">SCRUBBED</Data>
</EventData>
</Event>
这是另一个有效但我不感兴趣的点击的事件数据:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-02-19T15:21:21.753690000Z" />
<EventRecordID>SCRUBBED</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="96" />
<Channel>Security</Channel>
<Computer>SCRUBBED</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">SCRUBBED</Data>
<Data Name="SubjectUserName">SCRUBBED</Data>
<Data Name="SubjectDomainName">SCRUBBED</Data>
<Data Name="SubjectLogonId">SCRUBBED</Data>
<Data Name="NewProcessId">SCRUBBED</Data>
<Data Name="NewProcessName">C:\Windows\System32\conhost.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x690</Data>
<Data Name="CommandLine">\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Program Files\Windows Defender\MpCmdRun.exe</Data>
<Data Name="MandatoryLabel">SCRUBBED</Data>
</EventData>
</Event>
在此处启用命令行进程审核以重现此内容:https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
首先搜索 NewProcessName:
$a = Get-WinEvent -FilterXPath "*[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']]" Security
并查看 xml:
$a[1] | foreach { $xml = [xml]$_.toxml(); $xml.event.eventdata.data }
Name #text
---- -----
SubjectUserSid S-1-5-21-1528843147-373324174-1919417755-1001
SubjectUserName admin
SubjectDomainName DESKTOP-JQ7B7RP
SubjectLogonId 0x31db1a
NewProcessId 0x7c4
NewProcessName C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TokenElevationType %%1937
ProcessId 0x19d4
CommandLine -ExecutionPolicy ByPass -File do-something.ps1
TargetUserSid S-1-0-0
TargetUserName -
TargetDomainName -
TargetLogonId 0x0
ParentProcessName C:\Windows\System32\gpscript.exe
MandatoryLabel S-1-16-12288
看起来在 CommandLine 属性 的开头和结尾有 st运行gely a space。 xml 文本在事件查看器中被修剪。 space 仍然存在 $xml.save('file.xml')。
$a[1] | foreach { $xml = [xml]$_.toxml(); $xml.event.eventdata.data } |
where '#text' -match bypass | % { 'x' + $_.'#text' + 'x' }
x -ExecutionPolicy ByPass -File do-something.ps1 x
我运行这个脚本作为组策略powershell登录脚本。
因此在添加额外的 spaces 之后,嵌套谓词 xpath 变为:
Get-WinEvent -FilterXPath "*[EventData[Data[@Name='CommandLine']=' -executionpolicy bypass -file do-something.ps1 ']]" Security
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2/21/2020 3:16:13 PM 4688 Information A new process has been created....
2/21/2020 3:16:06 PM 4688 Information A new process has been created....
2/21/2020 3:03:24 PM 4688 Information A new process has been created....
2/21/2020 2:54:16 PM 4688 Information A new process has been created....
替代 "nested" xpath 表达式。由于某些原因,text() 或 substring() 等函数不能与 windows 日志或“//”或“/Event”一起使用。
get-winevent security -FilterXPath "*/EventData/Data[@Name='CommandLine']=' -ExecutionPolicy ByPass -File Do-Something.ps1 '"
get-winevent security -FilterXPath "*/*/*[@Name='CommandLine']=' -ExecutionPolicy ByPass -File Do-Something.ps1 '"
get-winevent security -FilterXPath "Event/EventData/Data[@Name='CommandLine']=' -ExecutionPolicy ByPass -File Do-Something.ps1 '"
在 powershell 6 及更高版本中,这可以减少为:
get-winevent @{logname = 'security'; commandline = ' -executionpolicy bypass -file do-something.ps1 ' }
尝试看看是否有效:
Get-WinEvent -LogName Security -FilterXPath "//Event//Data[@Name='CommandLine'][text()='-ExecutionPolicy ByPass -File Do-Something.ps1']"