Utilizing Windows PowerShell
for Host-based IDS
Log Monitoring
Presentation Topics
- PowerShell
- My Implementation
PowerShell
What is PowerShell
From Wikipedia:
1) Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework.
2) object-oriented interface where you can interact with .NET classes (or COM/WMI objects)
Basic Components
Application Host Console
Scripting Environment
PowerShell
What is PowerShell for?
Advanced Users and Administrators
Windows PowerShell is powerful tool where:
- you can deal with any kind of task,
- as many times as you will be requested to
- reducing repetitiveness by writing & using scripts & modules
- giving best results
- with one tool in use: PowerShell
PowerShell
PowerShell vs CMD
implementing if stats, for while
variables
casts everything
object-oriented
scripts
.NET Framework
extendable
use pipes
adopts all CMD commands
batch
predefined commands
complicated
PowerShell
Verb-Noun cmdlet pattern
Get-Verb
Get-Command -Noun * | select Noun
cmdlet structure
Verb-Noun -Parameter inputValue
PowerShell
Object Oriented Interface
get-process | get -member
get-date | get-member
[ipaddress]$sampleIp = "192.168.1.1" | gm
access properties & and methods
PowerShell
Help System
Get-Help Get-Help
Get-Help Get-Process
help *process
help *event*
help Get-Service -Full
other type of view:
Detailed, Examples
Get-Help cmdlet ("help" alias)
Help is updatable:
Get the latest and greatest help by typing:
"Update-Help"
Command Help
Conceptual Help
Get-Help about_*
PowerShell
The Pipeline
Connecting Commands
PowerShell
Doing Administration
Where-Object
Group-Object
Sort-Object
Select-Object
PowerShell
Doing Administration (2)
ConvertTo-Csv
ConvertTo-Html
ConvertTo-Json
ConvertTo-Xml
Export-Csv
Export-Clixml
Out-File
Compare-Object
PowerShell
Extending the Shell
Create Scripts
Create Modules
PowerShell
Security Concerns
Basic Security cmdlets
Firewall Configuration
Access Control
Event Log access
PowerShell
Security Concerns (2)
Host Intrusion Detection System
My implementation
Utilizing Windows PowerShell
for Host-based IDS
Log Monitoring
My implementation
Overview
- Creating SQL Database
- Getting Events & Parsing Events
- Parsing Critical Security Events
- Storing Parsed Events in Database
- Monitoring Database Filling
- Log Visualization (3 panels)
- Getting and Display some Critical Information
- Get Database information directly from the GUI
- Make SQL Queries directrly from the GUI
- Get Database Table and Show at a Grid View Window
- Export Database Table to CSV
- Export Database Table to HTM
My implementation
Overview
My implementation
Overview
Modules:
LogAnalysis
LogDatabase
Scripts:
ScheduleLogs.ps1
JobScheduler.ps1
LogVisualization.ps1
My implementation
My Git Hub PowerShell Repository
My Git Hub PowerShell Repository:
http://github.com/greekit/PowerShell
PowerShell Thesis Presentation
By Charis Pctr
PowerShell Thesis Presentation
These are the slides used for presenting my undergraduate thesis. Topic: Windows Event Log Analysis & Visualization with PowerShell. Place: University of Macedonia. Date: June 2015
