Utilizing Windows PowerShell 

for Host-based IDS 
Log Monitoring

Presentation Topics

  • PowerShell
  • My Implementation

PowerShell

What is PowerShell

From Wikipedia:

1) Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework.

2) object-oriented interface where you can interact with .NET classes (or COM/WMI objects)

Basic Components

Application Host Console

Scripting Environment

PowerShell

What is PowerShell for?

Advanced Users and Administrators


    Windows PowerShell is powerful tool where:

    -  you can deal with any kind of task,

    -  as many times as you will be requested to

    -  reducing repetitiveness by writing & using scripts & modules

    -  giving best results

    -  with one tool in use: PowerShell

PowerShell

PowerShell vs CMD   

implementing if stats, for while

variables

casts everything

object-oriented

scripts

.NET Framework

extendable

use pipes

adopts all CMD commands

 

 

batch

predefined commands

complicated

PowerShell

Verb-Noun cmdlet pattern

Get-Verb

Get-Command -Noun * | select Noun

cmdlet structure

Verb-Noun -Parameter inputValue

PowerShell

Object Oriented Interface

get-process | get -member

get-date | get-member

[ipaddress]$sampleIp = "192.168.1.1" | gm

access properties & and methods

 

PowerShell

Help System

Get-Help Get-Help

Get-Help Get-Process

help *process

help *event*

help Get-Service -Full
other type of view:
Detailed, Examples

Get-Help cmdlet ("help" alias)

Help is updatable:

Get the latest and greatest help by typing:

"Update-Help"

Command Help

Conceptual Help

Get-Help about_*

PowerShell

The Pipeline

Connecting Commands

PowerShell

Doing Administration

Where-Object

Group-Object

Sort-Object

Select-Object

PowerShell

Doing Administration (2)

ConvertTo-Csv
ConvertTo-Html
ConvertTo-Json
ConvertTo-Xml

Export-Csv

Export-Clixml

Out-File

Compare-Object

PowerShell

Extending the Shell

Create Scripts

 

 

Create Modules

PowerShell

Security Concerns

Basic Security cmdlets

Firewall Configuration

Access Control
Event Log access

PowerShell

Security Concerns (2)

Host Intrusion Detection System

My implementation

Utilizing Windows PowerShell

for Host-based IDS

Log Monitoring

My implementation

Overview

  • Creating SQL Database
  • Getting Events & Parsing Events
  • Parsing Critical Security Events
  • Storing Parsed Events in Database
  • Monitoring Database Filling
  • Log Visualization (3 panels)
  • Getting and Display some Critical Information
  • Get Database information directly from the GUI
  • Make SQL Queries directrly from the GUI
  • Get Database  Table and Show at a Grid View Window
  • Export Database Table to CSV
  • Export Database Table to HTM

My implementation

Overview

My implementation

Overview

Modules:

LogAnalysis

LogDatabase

 

 

Scripts:

ScheduleLogs.ps1
JobScheduler.ps1

LogVisualization.ps1

My implementation

My Git Hub PowerShell Repository

My Git Hub PowerShell Repository:

http://github.com/greekit/PowerShell

Made with Slides.com