| | 1 | + | |
| | 2 | + | Function Out-GridViewIISLog ($File) { |
| | 3 | + | #.Synopsis - Thanks to this dude - https://www.catapultsystems.com/blogs/easy-iis-log-reading-with-powershell/ |
| | 4 | + | |
| | 5 | + | $Headers = @((Get-Content -Path $File -ReadCount 4 -TotalCount 4)[3].split(' ') | Where-Object { $_ -ne '#Fields:' }); |
| | 6 | + | Import-Csv -Delimiter ' ' -Header $Headers -Path $File | Where-Object { $_.date -notlike '#*' } | Out-GridView -Title "IIS log: $File"; |
| | 7 | + | }; |
| | 8 | + | |
| | 9 | + | $logs = get-childitem -path "C:\inetpub\logs\LogFiles" -Recurse -Filter *.log | ? {$_.LastWriteTime -gt (Get-Date).AddDays(-30)} |
| | 10 | + | foreach($log in $logs){ |
| | 11 | + | |
| | 12 | + | $logdata = $log | Get-Content |
| | 13 | + | |
| | 14 | + | if($logdata -match 'autodiscover.*powershell') |
| | 15 | + | { |
| | 16 | + | write-host "Detected possible IOC in: " $log.FullName -ForegroundColor Yellow |
| | 17 | + | write-host "IOC located, please investigate" -ForegroundColor Red |
| | 18 | + | sleep -Seconds 5 |
| | 19 | + | #$matches = $logdata -match 'autodiscover.*powershell' |
| | 20 | + | #write-host $matches -ForegroundColor Gray |
| | 21 | + | |
| | 22 | + | Out-GridViewIISLog -File $log.FullName |
| | 23 | + | |
| | 24 | + | |
| | 25 | + | } |
| | 26 | + | |
| | 27 | + | |
| | 28 | + | } |
| | 29 | + | |
Daniel Card
committed
with
GitHub
2 years ago
1 parent 8080c252