SlideShare une entreprise Scribd logo

Powershell for Log Analysis and Data Crunching

Télécharger en tant que PPTX, PDF
Michelle D'israeli
Michelle D'israeli

You're stuck on a basic Windows estate, you can't pull the data out, there's no SIEM, and you have 20GB of logs you've been tasked to turn into actionable intelligence. Powershell brings not just in-built tools for querying Windows event logs, but also extremely powerful text processing tools. This talk will give you a quick overview of these features and its notable quirks, allowing you to pull off tricks that are often thought to be only for *NIX environments.

Technologie
1  sur  30
Powershell for Log Analysis & Data CrunchingBY MICHELLE D'ISRAELI @MDISRAELI #BSIDESLDN2015
Why Powershell? SIEMs are sadly not universal yet Limited environments You might not need Cygwin any more Quick and dirty analysis & tricks Red teams – process data remotely! #BSIDESLDN2015
About me Babcock MSS ◦ Threat intelligence feeds Serco Security Operations ◦ Web activity investigations ◦ Bulk email analysis Serco Major Incident Manager ◦ Incident response ◦ Whole host of things #BSIDESLDN2015
Assumptions BASH / other command lines Regular expressions Object orientated programming #BSIDESLDN2015
Objectives Where to learn more How powershell is different Really cool tricks #BSIDESLDN2015
Get-Command PS D:> Get-Command CommandType Name Definition ----------- ---- ---------- Alias % ForEach-Object Alias ? Where-Object Function A: Set-Location A: Alias ac Add-Content Cmdlet Add-Computer Add-Computer [-DomainName] Cmdlet Add-Content Add-Content [-Path] <Strin Cmdlet Add-History Add-History [[-InputObject Cmdlet Add-Member Add-Member [-MemberType] < Cmdlet Add-PSSnapin Add-PSSnapin [-Name] <Stri Cmdlet Add-Type Add-Type [-TypeDefinition]
Verbose CMD ◦ Ancient BASH / GNU Posix ◦ Efficent ◦ Ancient too Powershell ◦ Explicit ◦ Tab completion #BSIDESLDN2015
man -> Get-Help Where to learn more How powershell is different Really cool tricks PS D:> Get-Help TOPIC Get-Help SHORT DESCRIPTION Displays help about Windows PowerShell cmdlets and concepts. LONG DESCRIPTION SYNTAX get-help {<CmdletName> | <TopicName>} help {<CmdletName> | <TopicName>} <CmdletName> -?
cat -> Get-Content Where to learn more How powershell is different Really cool tricks PS D:> Get-Content songs.txt Artist - Song MindInABox - Synchronize Taylor Swift : Style The Prodigy -- voodoo people Orbital - halcyon & on & on Vieon - Starfighter Mind.In.A.Bax – Amnesia Taylor Swift – Blank Space
In BASH / CMD land…. Pipelines = text Cat examplefile [ AAA BBB CCC DDD … ] => One Long Stream of Text
In Powershell land…. Pipelines = objects Get-Content examplefile [ "AAA" ] => [ "BBB" ] => [ "CCC" ] => [ "DDD" ] => [ … ] => => Stream of objects
grep -> Where-Object Where to learn more How powershell is different Really cool tricks > Get-Content songs.txt | Where-Object { $_ -match "Swift"} Taylor Swift : Style Taylor Swift – "Blank Space" > Get-Content songs.txt | Where-Object { $_ -match "^Mind.?In.?A.?B[ao]x"} MindInABox - Synchronize Mind.In.A.Bax – Amnesia # …and fixed the file
Where-Object { some-function } Much more than grep Takes a function ◦ Get-Random True,False ◦ $_ = current object ◦ $_ -notmatch "regular-expression" #BSIDESLDN2015
Regular Expressions in Powershell Regular Expressions on Windows out of the box! Escaping nightmare ◦ Backslash within the regex as normal ◦ Backtick ` for escaping Powershell ◦ This will catch you out! $1 etc for group references… BUT… ◦ Magic regex references NOT environment variables ◦ Use single quotes OR escape the $
sed/awk -> ForEach-Object Where to learn more How powershell is different Really cool tricks >> | ForEach-Object { $_ -replace "s+[:-]+s+",","} Artist,Song Mind.In.A.Box,Synchronize Taylor Swift,Style The Prodigy,voodoo people Orbital,halcyon & on & on Vieon,Starfighter Mind.In.A.Box,Amnesia Taylor Swift,Blank Space >| ForEach-Object { $_ -replace "s+[:-]+s+",","} >songs.csv
ForEach-Object { some-function } Takes a function ◦ $_ = current object ◦ $_ -replace "regular-expression","replacement-text" #BSIDESLDN2015
~The Powershell Zone~ #BSIDESLDN2015
Import-Csv Where to learn more How powershell is different Really cool tricks PS D:> Import-Csv .songs.csv Artist Song ------ ---- Mind.In.A.Box Synchronize Taylor Swift Style The Prodigy voodoo people Orbital halcyon & on & on Vieon Starfighter
Import-Csv $_.column PS D:> Import-Csv .songs.csv | Where-Object {$_.Song - match "Style"} Artist Song ------ ---- Taylor Swift Style
Select-Object Where to learn more How powershell is different Really cool tricks PS D:> Import-Csv .songs.csv | Select-Object Artist Artist ------ Mind.In.A.Box Taylor Swift The Prodigy Orbital Vieon
Group-Object Where to learn more How powershell is different Really cool tricks PS D:> Import-Csv .songs.csv | Group-Object Artist Count Name Group ----- ---- ----- 2 Mind.In.A.Box {@{Artist=Mind.In.A.... 2 Taylor Swift {@{Artist=Taylor Swi... 1 The Prodigy {@{Artist=The Prodig... 1 Orbital {@{Artist=Orbital; S... 1 Vieon {@{Artist=Vieon; Son...
Get-EventLog Where to learn more How powershell is different Really cool tricks PS D:> Get-EventLog Application -Newest 100 Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 59825 May 27 20:54 Warning Microsoft-Windows... 11 The des... 59824 May 27 20:47 Information gupdate 0 The des... 59823 May 27 19:33 0 Office Software P... 1073742727 The Sof... 59822 May 27 19:28 Information Microsoft-Windows... 1000 Perform... 59821 May 27 19:28 Information Microsoft-Windows... 1001 Perform... 59820 May 27 19:28 Information Office Software P... 1073742827 The Sof... 59819 May 27 19:27 Information Office Software P... 1073742827 The Sof... 59818 May 27 19:27 0 Office Software P... 1073742726 The Sof...
Get-EventLog Does what it says on the tin Requires which event log you want ◦ Eg, Application ◦ NB: Security event log requires admin privileges -newest 100 Get-Help Get-EventLog $logs = Get-EventLog Application -Newest 100
Group-Object Where to learn more How powershell is different Really cool tricks $logs | Group-Object EntryType,Source | Sort-Object Count -descending Count Name Group ----- ---- ----- 10 Information, Software ... {System.Diagnostics.EventLogEntry,... 10 Information, Office So... {System.Diagnostics.EventLogEntry,... 8 Information, gupdate {System.Diagnostics.EventLogEntry,... 7 Information, NvStreamSvc {System.Diagnostics.EventLogEntry,... 6 Information, Microsoft... {System.Diagnostics.EventLogEntry,... 6 0, Software Protection... {System.Diagnostics.EventLogEntry,... 6 0, Office Software Pro... {System.Diagnostics.EventLogEntry,... 5 Information, SkypeUpdate {System.Diagnostics.EventLogEntry,...
Group and Sort Pivot tables on the command line! Can group by multiple columns Output is a massive hash table ◦ New top-level 'columns' – Count, Name, Values Sort-Object count –descending $pt = $logs | Group-Object EntryType,Source | Sort-Object Count -descending
Get-Member Where to learn more How powershell is different Really cool tricks PS D:> $pt | Get-Member TypeName: Microsoft.PowerShell.Commands.GroupInfo Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() Count Property System.Int32 Count {get;}
Fun with objects Where to learn more How powershell is different Really cool tricks PS D:> $pt[7].Group[2] Index Time EntryType Source ----- ---- --------- ------ 59784 May 27 10:41 Information SkypeUpdate PS D:> $pt[7].Group[2].Source.ToUpper() SKYPEUPDATE
Extra stuff Adding new members to objects is a pain but possible Hashtables, everywhere! ◦ @{'foo' = $_.Name; 'widget' = $_.Type} Literally all of .NET available to you ◦ $ie = New-Object -ComObject InternetExplorer.Application $tempfilename = [System.IO.Path]::GetTempFileName() [io.file]::WriteAllBytes($tempfilename,(Invoke-WebRequest - URI "http://fqdn/rs_server.dll").content)
12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 Jane 23rd Jane 24th Jane 25th Alex 23rd Alex 24th Alex 25th Clive 23rd Clive 24th Clive 25th Result?
Resources & Any Questions? Technet Hey Scripting Guy blog* ss64.com Powershell.com StackOverflow etc * http://blogs.technet.com/b/heyscriptingguy/ Michelle D’Israeli @mdisraeli

Recommandé

TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012
TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012
TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012
Amazon Web Services
 
ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup
ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup
ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup
Alberto Paro
 
Perl Web Client
Perl Web ClientPerl Web Client
Perl Web Client
Flavio Poletti
 
2017 02-07 - elastic & spark. building a search geo locator
2017 02-07 - elastic & spark. building a search geo locator2017 02-07 - elastic & spark. building a search geo locator
2017 02-07 - elastic & spark. building a search geo locator
Alberto Paro
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus Perl
Flavio Poletti
 
Elastic search integration with hadoop leveragebigdata
Elastic search integration with hadoop leveragebigdataElastic search integration with hadoop leveragebigdata
Elastic search integration with hadoop leveragebigdata
Pooja Gupta
 
PostgreSQL Open SV 2018
PostgreSQL Open SV 2018PostgreSQL Open SV 2018
PostgreSQL Open SV 2018
artgillespie
 
dotCloud and go
dotCloud and godotCloud and go
dotCloud and go
Flavio Poletti
 

Recommandé

TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012
TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012
TLS305 Using DynamoDB with the AWS SDK for PHP - AWS re: Invent 2012
Amazon Web Services
 
ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup
ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup
ElasticSearch 5.x - New Tricks - 2017-02-08 - Elasticsearch Meetup
Alberto Paro
 
Perl Web Client
Perl Web ClientPerl Web Client
Perl Web Client
Flavio Poletti
 
2017 02-07 - elastic & spark. building a search geo locator
2017 02-07 - elastic & spark. building a search geo locator2017 02-07 - elastic & spark. building a search geo locator
2017 02-07 - elastic & spark. building a search geo locator
Alberto Paro
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus Perl
Flavio Poletti
 
Elastic search integration with hadoop leveragebigdata
Elastic search integration with hadoop leveragebigdataElastic search integration with hadoop leveragebigdata
Elastic search integration with hadoop leveragebigdata
Pooja Gupta
 
PostgreSQL Open SV 2018
PostgreSQL Open SV 2018PostgreSQL Open SV 2018
PostgreSQL Open SV 2018
artgillespie
 
dotCloud and go
dotCloud and godotCloud and go
dotCloud and go
Flavio Poletti
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg Donovan
Gregg Donovan
 
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
georgepenkov
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
makoto tsuyuki
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line Interface
Amazon Web Services
 
The effective use of Django ORM
The effective use of Django ORMThe effective use of Django ORM
The effective use of Django ORM
Yaroslav Muravskyi
 
Py spark cheat sheet by cheatsheetmaker.com
Py spark cheat sheet by cheatsheetmaker.comPy spark cheat sheet by cheatsheetmaker.com
Py spark cheat sheet by cheatsheetmaker.com
Lam Hoang
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
Giovanni Fernandez-Kincade
 
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
Amazon Web Services
 
Async. and Realtime Geo Applications with Node.js
Async. and Realtime Geo Applications with Node.jsAsync. and Realtime Geo Applications with Node.js
Async. and Realtime Geo Applications with Node.js
Shoaib Burq
 
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Cliff Seal
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
siculars
 
Codepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash course
Codepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash courseCodepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash course
Codepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash course
Sages
 
SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?
SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?
SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?
PyungHo Yoon
 
Cache metadata
Cache metadataCache metadata
Cache metadata
Joris Vercammen
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots
DeepAnshu Sharma
 
Source Code for Dpilot
Source Code for Dpilot Source Code for Dpilot
Source Code for Dpilot
Nidhi Chauhan
 
Postgres performance for humans
Postgres performance for humansPostgres performance for humans
Postgres performance for humans
Craig Kerstiens
 
Webinar: Building Your First App in Node.js
Webinar: Building Your First App in Node.jsWebinar: Building Your First App in Node.js
Webinar: Building Your First App in Node.js
MongoDB
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Amazon Web Services for PHP Developers
Amazon Web Services for PHP DevelopersAmazon Web Services for PHP Developers
Amazon Web Services for PHP Developers
Jeremy Lindblom
 

Contenu connexe

Tendances

Async. and Realtime Geo Applications with Node.js
Async. and Realtime Geo Applications with Node.jsAsync. and Realtime Geo Applications with Node.js
Async. and Realtime Geo Applications with Node.js
Shoaib Burq
 
Postgres performance for humans
Postgres performance for humansPostgres performance for humans
Postgres performance for humans
Craig Kerstiens
 

Tendances (20)

Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg Donovan
 
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line Interface
 
The effective use of Django ORM
The effective use of Django ORMThe effective use of Django ORM
The effective use of Django ORM
 
Py spark cheat sheet by cheatsheetmaker.com
Py spark cheat sheet by cheatsheetmaker.comPy spark cheat sheet by cheatsheetmaker.com
Py spark cheat sheet by cheatsheetmaker.com
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
 
Async. and Realtime Geo Applications with Node.js
Async. and Realtime Geo Applications with Node.jsAsync. and Realtime Geo Applications with Node.js
Async. and Realtime Geo Applications with Node.js
 
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
Codepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash course
Codepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash courseCodepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash course
Codepot - Pig i Hive: szybkie wprowadzenie / Pig and Hive crash course
 
SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?
SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?
SQL 쿼리를 AWS DynamoDB에서 (CLI)로 사용해 볼까요?
 
Cache metadata
Cache metadataCache metadata
Cache metadata
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots
 
Source Code for Dpilot
Source Code for Dpilot Source Code for Dpilot
Source Code for Dpilot
 
Postgres performance for humans
Postgres performance for humansPostgres performance for humans
Postgres performance for humans
 
Webinar: Building Your First App in Node.js
Webinar: Building Your First App in Node.jsWebinar: Building Your First App in Node.js
Webinar: Building Your First App in Node.js
 

Similaire à Powershell for Log Analysis and Data Crunching

Active Record Inheritance in Rails
Active Record Inheritance in RailsActive Record Inheritance in Rails
Active Record Inheritance in Rails
Sandip Ransing
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21
Stamatis Zampetakis
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04
Krishna Sankar
 
Curscatalyst
CurscatalystCurscatalyst
Curscatalyst
Kar Juan
 
Perl web frameworks
Perl web frameworksPerl web frameworks
Perl web frameworks
diego_k
 
Projeto-web-services-Spring-Boot-JPA.pdf
Projeto-web-services-Spring-Boot-JPA.pdfProjeto-web-services-Spring-Boot-JPA.pdf
Projeto-web-services-Spring-Boot-JPA.pdf
AdrianoSantos888423
 

Similaire à Powershell for Log Analysis and Data Crunching (20)

Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Amazon Web Services for PHP Developers
Amazon Web Services for PHP DevelopersAmazon Web Services for PHP Developers
Amazon Web Services for PHP Developers
 
Beyond PHP - It's not (just) about the code
Beyond PHP - It's not (just) about the codeBeyond PHP - It's not (just) about the code
Beyond PHP - It's not (just) about the code
 
Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010
 
Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4
 
Rapid prototyping search applications with solr
Rapid prototyping search applications with solrRapid prototyping search applications with solr
Rapid prototyping search applications with solr
 
Active Record Inheritance in Rails
Active Record Inheritance in RailsActive Record Inheritance in Rails
Active Record Inheritance in Rails
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS Lambda
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-python
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-python
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websites
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
 
SharePoint Administration with PowerShell
SharePoint Administration with PowerShellSharePoint Administration with PowerShell
SharePoint Administration with PowerShell
 
Curscatalyst
CurscatalystCurscatalyst
Curscatalyst
 
Perl web frameworks
Perl web frameworksPerl web frameworks
Perl web frameworks
 
PuppetDB, Puppet Explorer and puppetdbquery
PuppetDB, Puppet Explorer and puppetdbqueryPuppetDB, Puppet Explorer and puppetdbquery
PuppetDB, Puppet Explorer and puppetdbquery
 
Projeto-web-services-Spring-Boot-JPA.pdf
Projeto-web-services-Spring-Boot-JPA.pdfProjeto-web-services-Spring-Boot-JPA.pdf
Projeto-web-services-Spring-Boot-JPA.pdf
 
Open Source Search: An Analysis
Open Source Search: An AnalysisOpen Source Search: An Analysis
Open Source Search: An Analysis
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Powershell for Log Analysis and Data Crunching

  • 1. Powershell for Log Analysis & Data CrunchingBY MICHELLE D'ISRAELI @MDISRAELI #BSIDESLDN2015
  • 2. Why Powershell? SIEMs are sadly not universal yet Limited environments You might not need Cygwin any more Quick and dirty analysis & tricks Red teams – process data remotely! #BSIDESLDN2015
  • 3. About me Babcock MSS ◦ Threat intelligence feeds Serco Security Operations ◦ Web activity investigations ◦ Bulk email analysis Serco Major Incident Manager ◦ Incident response ◦ Whole host of things #BSIDESLDN2015
  • 4. Assumptions BASH / other command lines Regular expressions Object orientated programming #BSIDESLDN2015
  • 5. Objectives Where to learn more How powershell is different Really cool tricks #BSIDESLDN2015
  • 6. Get-Command PS D:> Get-Command CommandType Name Definition ----------- ---- ---------- Alias % ForEach-Object Alias ? Where-Object Function A: Set-Location A: Alias ac Add-Content Cmdlet Add-Computer Add-Computer [-DomainName] Cmdlet Add-Content Add-Content [-Path] <Strin Cmdlet Add-History Add-History [[-InputObject Cmdlet Add-Member Add-Member [-MemberType] < Cmdlet Add-PSSnapin Add-PSSnapin [-Name] <Stri Cmdlet Add-Type Add-Type [-TypeDefinition]
  • 7. Verbose CMD ◦ Ancient BASH / GNU Posix ◦ Efficent ◦ Ancient too Powershell ◦ Explicit ◦ Tab completion #BSIDESLDN2015
  • 8. man -> Get-Help Where to learn more How powershell is different Really cool tricks PS D:> Get-Help TOPIC Get-Help SHORT DESCRIPTION Displays help about Windows PowerShell cmdlets and concepts. LONG DESCRIPTION SYNTAX get-help {<CmdletName> | <TopicName>} help {<CmdletName> | <TopicName>} <CmdletName> -?
  • 9. cat -> Get-Content Where to learn more How powershell is different Really cool tricks PS D:> Get-Content songs.txt Artist - Song MindInABox - Synchronize Taylor Swift : Style The Prodigy -- voodoo people Orbital - halcyon & on & on Vieon - Starfighter Mind.In.A.Bax – Amnesia Taylor Swift – Blank Space
  • 10. In BASH / CMD land…. Pipelines = text Cat examplefile [ AAA BBB CCC DDD … ] => One Long Stream of Text
  • 11. In Powershell land…. Pipelines = objects Get-Content examplefile [ "AAA" ] => [ "BBB" ] => [ "CCC" ] => [ "DDD" ] => [ … ] => => Stream of objects
  • 12. grep -> Where-Object Where to learn more How powershell is different Really cool tricks > Get-Content songs.txt | Where-Object { $_ -match "Swift"} Taylor Swift : Style Taylor Swift – "Blank Space" > Get-Content songs.txt | Where-Object { $_ -match "^Mind.?In.?A.?B[ao]x"} MindInABox - Synchronize Mind.In.A.Bax – Amnesia # …and fixed the file
  • 13. Where-Object { some-function } Much more than grep Takes a function ◦ Get-Random True,False ◦ $_ = current object ◦ $_ -notmatch "regular-expression" #BSIDESLDN2015
  • 14. Regular Expressions in Powershell Regular Expressions on Windows out of the box! Escaping nightmare ◦ Backslash within the regex as normal ◦ Backtick ` for escaping Powershell ◦ This will catch you out! $1 etc for group references… BUT… ◦ Magic regex references NOT environment variables ◦ Use single quotes OR escape the $
  • 15. sed/awk -> ForEach-Object Where to learn more How powershell is different Really cool tricks >> | ForEach-Object { $_ -replace "s+[:-]+s+",","} Artist,Song Mind.In.A.Box,Synchronize Taylor Swift,Style The Prodigy,voodoo people Orbital,halcyon & on & on Vieon,Starfighter Mind.In.A.Box,Amnesia Taylor Swift,Blank Space >| ForEach-Object { $_ -replace "s+[:-]+s+",","} >songs.csv
  • 16. ForEach-Object { some-function } Takes a function ◦ $_ = current object ◦ $_ -replace "regular-expression","replacement-text" #BSIDESLDN2015
  • 18. Import-Csv Where to learn more How powershell is different Really cool tricks PS D:> Import-Csv .songs.csv Artist Song ------ ---- Mind.In.A.Box Synchronize Taylor Swift Style The Prodigy voodoo people Orbital halcyon & on & on Vieon Starfighter
  • 19. Import-Csv $_.column PS D:> Import-Csv .songs.csv | Where-Object {$_.Song - match "Style"} Artist Song ------ ---- Taylor Swift Style
  • 20. Select-Object Where to learn more How powershell is different Really cool tricks PS D:> Import-Csv .songs.csv | Select-Object Artist Artist ------ Mind.In.A.Box Taylor Swift The Prodigy Orbital Vieon
  • 21. Group-Object Where to learn more How powershell is different Really cool tricks PS D:> Import-Csv .songs.csv | Group-Object Artist Count Name Group ----- ---- ----- 2 Mind.In.A.Box {@{Artist=Mind.In.A.... 2 Taylor Swift {@{Artist=Taylor Swi... 1 The Prodigy {@{Artist=The Prodig... 1 Orbital {@{Artist=Orbital; S... 1 Vieon {@{Artist=Vieon; Son...
  • 22. Get-EventLog Where to learn more How powershell is different Really cool tricks PS D:> Get-EventLog Application -Newest 100 Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 59825 May 27 20:54 Warning Microsoft-Windows... 11 The des... 59824 May 27 20:47 Information gupdate 0 The des... 59823 May 27 19:33 0 Office Software P... 1073742727 The Sof... 59822 May 27 19:28 Information Microsoft-Windows... 1000 Perform... 59821 May 27 19:28 Information Microsoft-Windows... 1001 Perform... 59820 May 27 19:28 Information Office Software P... 1073742827 The Sof... 59819 May 27 19:27 Information Office Software P... 1073742827 The Sof... 59818 May 27 19:27 0 Office Software P... 1073742726 The Sof...
  • 23. Get-EventLog Does what it says on the tin Requires which event log you want ◦ Eg, Application ◦ NB: Security event log requires admin privileges -newest 100 Get-Help Get-EventLog $logs = Get-EventLog Application -Newest 100
  • 24. Group-Object Where to learn more How powershell is different Really cool tricks $logs | Group-Object EntryType,Source | Sort-Object Count -descending Count Name Group ----- ---- ----- 10 Information, Software ... {System.Diagnostics.EventLogEntry,... 10 Information, Office So... {System.Diagnostics.EventLogEntry,... 8 Information, gupdate {System.Diagnostics.EventLogEntry,... 7 Information, NvStreamSvc {System.Diagnostics.EventLogEntry,... 6 Information, Microsoft... {System.Diagnostics.EventLogEntry,... 6 0, Software Protection... {System.Diagnostics.EventLogEntry,... 6 0, Office Software Pro... {System.Diagnostics.EventLogEntry,... 5 Information, SkypeUpdate {System.Diagnostics.EventLogEntry,...
  • 25. Group and Sort Pivot tables on the command line! Can group by multiple columns Output is a massive hash table ◦ New top-level 'columns' – Count, Name, Values Sort-Object count –descending $pt = $logs | Group-Object EntryType,Source | Sort-Object Count -descending
  • 26. Get-Member Where to learn more How powershell is different Really cool tricks PS D:> $pt | Get-Member TypeName: Microsoft.PowerShell.Commands.GroupInfo Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() Count Property System.Int32 Count {get;}
  • 27. Fun with objects Where to learn more How powershell is different Really cool tricks PS D:> $pt[7].Group[2] Index Time EntryType Source ----- ---- --------- ------ 59784 May 27 10:41 Information SkypeUpdate PS D:> $pt[7].Group[2].Source.ToUpper() SKYPEUPDATE
  • 28. Extra stuff Adding new members to objects is a pain but possible Hashtables, everywhere! ◦ @{'foo' = $_.Name; 'widget' = $_.Type} Literally all of .NET available to you ◦ $ie = New-Object -ComObject InternetExplorer.Application $tempfilename = [System.IO.Path]::GetTempFileName() [io.file]::WriteAllBytes($tempfilename,(Invoke-WebRequest - URI "http://fqdn/rs_server.dll").content)
  • 29. 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 Jane 23rd Jane 24th Jane 25th Alex 23rd Alex 24th Alex 25th Clive 23rd Clive 24th Clive 25th Result?
  • 30. Resources & Any Questions? Technet Hey Scripting Guy blog* ss64.com Powershell.com StackOverflow etc * http://blogs.technet.com/b/heyscriptingguy/ Michelle D’Israeli @mdisraeli

Notes de l'éditeur

  1. Open with describing scenario then skip slide Powershell screen buffer width set to 56
  2. Powershell default sizing 8x12