来源

关联漏洞

介绍

#
# CVE-2020-1472 Event Reader v1.1 8/27/2020
# This script will:
#	1. Scan system evtx in input file folder for event 5827, 5828,5829,5830 and 5831, exact data fields, export to 582#-*.CSV.
#	2. Calls Excel to import resulting 582#-*.CSV, create pivot tables for common secure RPC analysis scenarios. Delete 582#-*.CSV afterward.
#   Feel free to modify to fit your need.
#
#   Script tries best effort match to help admin, feel free to modify.
#
# Script requires Excel 2013 or later.
#   64 bits Excel will allow creation of larger data import to XLS.
#
# To use the script:
#  1. Save system log as system.evtx to file.
#  2. Follow on screen prompt to enter Path containing *.evtx and final xlsx.
#
# More info https://support.microsoft.com/en-us/kb/4557222
#   Change log > 1.1
#     Switch Get-WinEvent over to FilterXPath for faster search
#     Added script knob for LookbackDays for schduled review of progress in script
#     Added %GrandTotal in Excel Pivot to help setting priority.
#     Added script knobs for enable/disable ColorScale and DataBar
#     Added $mcLookbackDays, $mcScriptPrompts, $mcServerEvents and $mcEvtPath for remote deployment to send data back to central share.
#
# Script variables block, modify to fit your need
$mcStartTime = '2020/05/10 06:06'   # TimeStamp to start searching for 5827-5831, in the form of 'yyyy/MM/dd HH:mm', where 1pm is 13, example: '2020/05/26 13:06' will list events starting 2020/05/26 1:06 PM, use it to measure progress.
$mcLookbackDays = 0 			          # When set to 0, script will use $mcStartTime. When set to a positive number, script will start search events in last x days. For examle: 1 will search events in last 24 hours.
$mcScriptPrompts = $true            # Script default, $false for non-interactive mode, intended for schduled jobs or right click, run with Powershell.
$mcCSVImport = $true				        # Set to $false for generating Evtx only, intended for saving Evtx from server's event service.
$mcServerEvents = $false            # Generate related events from Local Server (LocalHost), intented for generating smaller EVTX & CSV for later processing (on another machine) instead of entire EVTX (when use in combo with $mcCSVImport)
$mcEvtPath = ""                     # Default report path when $mcScriptPrompts=false, set to "" for script path.
#Performace related knobs
$mcMaxThreads = 4                   # Max concurrent Evtx to CSV export threads (jobs), hight number might hit File/IO bottleneck since all files are in one directory.
$mcMaxExport = 1000                 # 1000 Max events to export per each EVTX, modify this if we are getting Excel memory error (or we just need first few evt for samples)
$mcMaxImport = 1000                 # 1000 max events to import into excel, ##NOTE##: Once maxed out, Excel will finish current import file and stop future import(s), since import is single threaded, import might take a long time if set to high number.
$mcColorScale = $true	     			    # Set to false to disable column ColorScale = speed up excel import & reduce memory requirement
$mcDataBar = $true     				      # Set to false to disable column DataBar = speed up excel import & reduce memory requirement (Note: DataBar is somewhat buggy compare to ColorScale on import, best to do it manually afterward if needed.)

#--Default for remote Evtx collection-------------------------------------------------------
  # $mcLookbackDays = 0 
  # $mcEvtPath = "" 
  # $mcScriptPrompts = $mcCSVImport = $false
  # $mcServerEvents = $true 
#--Default for local non-inteactive report generation.--------------------------------------
  # $mcLookbackDays = 0
  # $mcEvtPath = "" 
  # $mcScriptPrompts = $mcServerEvents = $false
  # $mcCSVImport = $true

文件快照

 [4.0K]  /data/pocs/adf716a6f82d97326b112ce27c7bcaddd25488c3
├── [ 28K]  CVE-2020-1472EventReader.ps1
├── [1.0K]  LICENSE
└── [3.7K]  README.md

0 directories, 3 files

备注