用powershell獲取sysmon日誌

摘要： 想用powershell獲取sysmon日誌還是比較麻煩，開始以為用Get-EventLog就行，結果試了半天報錯： PS D:\> Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20 Get-E...

想用powershell獲取sysmon日誌還是比較麻煩，開始以為用Get-EventLog就行，結果試了半天報錯：

PS D:\> Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20
Get-EventLog : 計算機“.”上的事件日誌“Microsoft-Windows-Sysmon/Operational”不存在。
所在位置 行:1 字元: 1
+ Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) [Get-EventLog], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetEventLogCommand

上網發現大家都是用的 Get-WinEvent，看了下幫助文件，這個Cmdlet可以獲取所有本地和遠端計算機的日誌，使用-ListLog *可以獲取當前主機的所有型別的日誌

PS C:\> Get-WinEvent -ListLog *

LogModeMaximumSizeInBytes RecordCount LogName
------------------------- ----------- -------
Circular2097152024186 Application
Circular209715200 HardwareEvents
Circular10526720 Internet Explorer
Circular209715200 Key Management Service
Circular1052672117 OAlerts
Circular10526720 PreEmptive
Circular2097152025272 Security
Circular2097152013277 System
Circular157286404381 Windows PowerShell
Circular10526720 AMSI/Operational
Circular20971520ForwardedEvents
Circular1052672200 Lenovo-Power-BaseModule/Operational
Circular104857600 Microsoft-AppV-Client/Admin
Circular104857600 Microsoft-AppV-Client/Operational
Circular104857600 Microsoft-AppV-Client/Virtual Applications
Circular10526722103 Microsoft-Client-Licensing-Platform/Admin
Circular1052672Microsoft-Management-UI/Admin
Circular10526720 Microsoft-Rdms-UI/Admin
Circular10526720 Microsoft-Rdms-UI/Operational
Circular10526720 Microsoft-User Experience Virtualization-Agent 
......

根據網上的例子，使用雜湊表同時指定日誌型別和事件ID，可以查詢sysmon的某類ID的事件日誌

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10


ProviderName:Microsoft-Windows-Sysmon

TimeCreatedId LevelDisplayName Message
------------- ---------------- -------
2019/4/1 22:23:3517 資訊Pipe Created:...
2019/4/1 22:23:3517 資訊Pipe Created:...
2019/4/1 22:23:3517 資訊Pipe Created:...
2019/4/1 22:23:3417 資訊Pipe Created:...
2019/4/1 22:23:3417 資訊Pipe Created:...
2019/4/1 22:23:3417 資訊Pipe Created:...
2019/4/1 22:23:3317 資訊Pipe Created:...
2019/4/1 22:23:3317 資訊Pipe Created:...
2019/4/1 22:23:3317 資訊Pipe Created:...
2019/4/1 22:23:3317 資訊Pipe Created:...

接下來我希望獲取日誌中的其他訊息，想到使用 Format-Table指定屬性的方法，首先我查詢到sysmon的事件ID為17的日誌中的屬性有：RuleName，UtcTime，ProcessGuid，ProcessId，PipeName，Image，然後用指定屬性輸出：

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10 | Format-Tab
le -Property UtcTime,processguid, processid,pipename,image -AutoSize -Wrap

UtcTime processguid ProcessId pipename image
------- ----------- --------- -------- -----
4140
4140
4140
4140
4140
4140
4140
4140
4140
4140

但是發現只有一個ProcessId有值，其他都為空！這就很奇怪。然後使用Format-List * 獲取一下日誌的屬性都有什麼：

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10 | Format-List *


Message: Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.814
ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}
ProcessId: 6724
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Id: 17
Version: 1
Qualifiers:
Level: 4
Task: 17
Opcode: 0
Keywords: -9223372036854775808
RecordId: 113253
ProviderName: Microsoft-Windows-Sysmon
ProviderId: 5770385f-c22a-43e0-bf4c-06f5698ffbd9
LogName: Microsoft-Windows-Sysmon/Operational
ProcessId: 4140
ThreadId: 6228
MachineName: DESKTOP-DKGHJUN
UserId: S-1-5-18
TimeCreated: 2019/4/1 22:23:35
ActivityId:
RelatedActivityId:
ContainerLog: Microsoft-Windows-Sysmon/Operational
MatchedQueryIds: {}
Bookmark: System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName: 資訊
OpcodeDisplayName: 資訊
TaskDisplayName: Pipe Created (rule: PipeEvent)
KeywordsDisplayNames : {}
Properties: {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty, 
System.Diagnostics.Eventing.Reader.EventProperty...}
......

結果發現日誌的資訊都在Message裡面，連顯示的程序ID都是錯的。知道原因了，也就是說獲取sysmon的日誌資訊的話只需要顯示一條Message就夠了。

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10 | Format-Table -Property message -Wrap

Message
-------
Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.814
ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}
ProcessId: 6724
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.751
ProcessGuid: {791A80C2-1EE7-5CA2-0000-00108D0AF000}
ProcessId: 856
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Pipe Created:

但是這種結果並不利於檢視，需要在前面新增幾列資訊，讓每一條結果能顯示的更易於區分。通過Format-List * 檢視有哪些屬性是比較有用的，這次選擇ID，TaskDisplayName 這兩項：

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 5 | Format-Table -Property ID,TaskDisplayName,message -Wrap

Id TaskDisplayNameMessage
-- ----------------------
17 Pipe Created (rule: PipeEvent) Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.814
ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}
ProcessId: 6724
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
17 Pipe Created (rule: PipeEvent) Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.751
ProcessGuid: {791A80C2-1EE7-5CA2-0000-00108D0AF000}
ProcessId: 856
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
17 Pipe Created (rule: PipeEvent) Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.353
ProcessGuid: {791A80C2-1EE7-5CA2-0000-00103F04F000}
ProcessId: 10636
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
......

但是這個結果也不好，因為獲取到某個ID的日誌後不能繼續搜尋了。

遺留了兩個問題：

1. Get-EventLog和Get-WinEvent兩個cmdlet的差異在哪裡？
2. 如何進一步篩選sysmon日誌？