Clean up Process Created windows events

For some reason windows eventlog events contain newlines and are difficult to parse. I was interested in process creation events so I created a short powershell script to cleanup the mess and allow me to view each event on a single, greppable line:

$x=Get-WinEvent -LogName Security |  Where-Object {$_.ID -eq "4688"} | convertto-csv
$x=$x -replace("A new process has been created.*?Process Command Line","Process Command Line")
$x=$x -replace("Token Elevation Type.*?choose to start the program using Run as administrator.","")
$x | out-file -encoding ascii outfile.csv

I use some non-greedy regex matching here (the .*?) and in order for that to work across carriage returns and linefeeds I replace CRLFs and with a placeholder and then put them back when I am done. Not the most elegant solution but it seems to work well enough. Ideally I could just match across lines directly but that does not seem to work.

Posted in Powershell | Leave a comment

Enumerate GPO GUIDs

dsquery * -limit 9999 -filter "(&(objectClass=groupPolicyContainer)(name={*}))" -attr name displayName
Posted in Uncategorized | Leave a comment

Powershell computer enum

Here is a short powershell snippet that will dump out all the computers in a domain into a csv file with operating system versions they are running:

Get-ADcomputer -SearchBase "DC=servers,DC=domain,DC=com" -filter 'samaccountname -like "*"' -properties OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion,PasswordLastSet | export-csv out.csv
Posted in Powershell | Leave a comment

Batch file to send Splunk Alerts

The free version of Splunk lacks the capability to do scheduled reports and alerting. However, it has a very capable API that can be simply accessed using curl. I wrote some batch files to access these APIs and scheduled them to run periodically. One grabs the last alerts off of the IDS and the other alerts on Hard Drive Errors.

@echo off
set tdate=%date:/=-%
set tdate=%tdate: =%
set ttime=%time::=_%
set ttime=%ttime: =T%
set ttime=%ttime:.=-%

call :doit IDSmalware5m
call :doit DiskErrors5m

goto :EOF

curl -s -k https://splunkserver:8089/services/search/jobs -d"search=| savedsearch %1"|grep sid |sed "s///g"| sed "s///g" > %temp%\splunk-alert-%1-%tdate%%ttime%.txt
for /f %%i in (%temp%\splunk-alert-%1-%tdate%%ttime%.txt) do call :loop %%i
goto :EOF

::echo "%1"
curl -s -k https://splunkserver:8089/services/search/jobs/%1|grep "1" > nul
if errorlevel 1 sleep 2 && goto :loop
curl -s -k h"ttps://splunkserver:8089/services/search/jobs/%1/results?output_mode=csv"
goto :EOF
Posted in Uncategorized | Leave a comment

Script to list all members of Office 365 Admin Roles

Here is a short script to enumerate the Office 365 Admin Roles and list out each of their memberships. Please note, for this to work you need to install the Azure AD Powershell module.

$roles = Get-MsolRole

foreach ($role in $roles) { 
	write-host $,",",$role.description; 
	write-host "==========";
	Get-MsolRoleMember -RoleObjectId $role.ObjectId;
	write-host " "; 
Posted in Powershell | Leave a comment

Free Space percentage wmic script

Command Line script using wmic and built-in NT Shell scripting commands to retrieve free space, total disk size and calculate percent free for local hard disks.

@echo off

for /f "skip=1 usebackq delims==" %%i in (`wmic logicaldisk where "mediatype='12'" get caption`) do (
call :doit %%i )
goto :eof

set driveletter=%1
if {%driveletter%}=={} goto :EOF
for /f "usebackq delims== tokens=2" %%x in (`wmic logicaldisk where "DeviceID='%driveletter%'" get FreeSpace /format:value`) do set FreeSpace=%%x
for /f "usebackq delims== tokens=2" %%x in (`wmic logicaldisk where "DeviceID='%driveletter%'" get Size /format:value`) do set Size=%%x
set FreeMB=%FreeSpace:~0,-10%
set SizeMB=%Size:~0,-10%
set /a Percentage=100 * FreeMB / SizeMB
echo %driveletter% %FreeMB% GB out of  %SizeMB% GB Total - %Percentage% percent free)

I may extend this in a future update to include removeable and/or network drives.

Posted in NT Shell Script | Leave a comment

Powershell top processes script v2

I made some modifications to my top processes script that make it both better performing and more useful by providing more information. There is a noticeable delay when get-counter is called so rather than staring at a black screen waiting for the results from this call, I modified the script such that the previous results are displayed on screen while get-count is called and sends it output to a variable. At the same time I added counters for total CPU usage and idle cpu percentage. It is still a one-liner, but rather cumbersome as such, I may break it up for a future post:

while (1)  { $tot = get-counter "\Processor(_total)\% processor time"; $idl = get-counter "\Process(idle)\% processor time"; $Proc = Get-counter "\Process(*)\% processor time"; $p2 = $Proc.CounterSamples | where {$_.instanceName -ne "idle"} | where {$_.instanceName -ne "_total"}; cls; $tot.countersamples; $idl.countersamples;  $p2| sort -desc CookedValue |select -first 17; sleep -seconds 3;}
Posted in Uncategorized | Leave a comment