Getting Data In

Indexing PowerShell transcription files

Path Finder

Is there a resource for indexing powershell transcription files?

We're using PowerShell 5.1. I've reviewed the information provided in a 2016 Splunk .conf talk here: https://conf.splunk.com/files/2016/recordings/powershell-power-hell-hunting-for-malicious-use-of-pow...

But the info in the talk isn't truly complete. For instance, our transcription files don't always have the "End time" footer, and can contain multiple headers (Start time:, Username:, RunAs User:, etc) within a "Windows PowerShell transcript start" event.

Is there no TA for this?

Example problem file:

**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026141425
**********************
PS R:\> get-adgroup compliance


DistinguishedName : stuff
GroupCategory     : more stuff
GroupScope        : yup, here's our stuff
Name              : and more stuff
ObjectClass       : and more stuff
ObjectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff



**********************
Command start time: 20181026141442
**********************
PS R:\> get-adgroup compliance |Get-ADGroupMember


distinguishedName : stuff
name              : and more stuff
objectClass       : and more stuff
objectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff

distinguishedName : and more stuff
name              : and more stuff
objectClass       : and more stuff
objectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff

... a few hundred lines later....

**********************
Command start time: 20181026143530
**********************
PS R:\> TerminatingError(Export-Csv): "The process cannot access the file 'stuff' because it is being used by another process."
**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026143530
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The process cannot access the file 'stuff' because it is being used by another process."
export-csv : The process cannot access the file 'stuff' because it is being used by another 
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another 
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand

Notice the lack of:

**********************
Windows PowerShell transcript end
End time: 20181026094046
**********************

Any help is greatly appreciated.

0 Karma

Path Finder

Did you ever have any luck with this? I am about to work with these logs and was planning to use the 2016 talk as a base as well. Did you need any more props/transforms than were indicated in the talk?

0 Karma