| 1 | + | |
| 2 | + | Function Out-GridViewIISLog ($File) { |
| 3 | + | #.Synopsis - Thanks to this dude - https://www.catapultsystems.com/blogs/easy-iis-log-reading-with-powershell/ |
| 4 | + | |
| 5 | + | $Headers = @((Get-Content -Path $File -ReadCount 4 -TotalCount 4)[3].split(' ') | Where-Object { $_ -ne '#Fields:' }); |
| 6 | + | Import-Csv -Delimiter ' ' -Header $Headers -Path $File | Where-Object { $_.date -notlike '#*' } | Out-GridView -Title "IIS log: $File"; |
| 7 | + | }; |
| 8 | + | |
| 9 | + | $logs = get-childitem -path "C:\inetpub\logs\LogFiles" -Recurse -Filter *.log | ? {$_.LastWriteTime -gt (Get-Date).AddDays(-30)} |
| 10 | + | foreach($log in $logs){ |
| 11 | + | |
| 12 | + | $logdata = $log | Get-Content |
| 13 | + | |
| 14 | + | if($logdata -match 'autodiscover.*powershell') |
| 15 | + | { |
| 16 | + | write-host "Detected possible IOC in: " $log.FullName -ForegroundColor Yellow |
| 17 | + | write-host "IOC located, please investigate" -ForegroundColor Red |
| 18 | + | sleep -Seconds 5 |
| 19 | + | #$matches = $logdata -match 'autodiscover.*powershell' |
| 20 | + | #write-host $matches -ForegroundColor Gray |
| 21 | + | |
| 22 | + | Out-GridViewIISLog -File $log.FullName |
| 23 | + | |
| 24 | + | |
| 25 | + | } |
| 26 | + | |
| 27 | + | |
| 28 | + | } |
| 29 | + | |