Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get-WinEvent with FilterHashtable generate broken query (filter) #2327

Closed
iSazonov opened this issue Sep 21, 2016 · 3 comments

Comments

Projects
None yet
5 participants
@iSazonov
Copy link
Collaborator

commented Sep 21, 2016

This is UserVoice issue - https://windowsserver.uservoice.com/forums/301869-powershell/suggestions/15969436-get-winevent-filterhashtable-query-is-wrong

Steps to reproduce

Below test for PrintService log but you can test for any event log.
Replace printer names and server name with actual in your environment.
# Test 1a
# Result: Get-WinEvent : No events were found that match the specified selection criteria.
$ef = @{Logname="Microsoft-Windows-PrintService/Operational";Param5="PS-PRN1"}
$a=Get-WinEvent -MaxEvents 25 -FilterHashtable $ef -Debug -ComputerName ps1

# Test 1b
# Query from Test 1a
# Result: Get-WinEvent : The specified query is invalid
$ed=@"
<QueryList>
<Query Id="0" Path="microsoft-windows-printservice/operational">
<Select Path="microsoft-windows-printservice/operational">
*[([EventData[Data[@Name='Param5']='PS-PRN1']] or [UserData/*/Param5='PS-PRN1'])]
</Select>
</Query>
</QueryList>
"@
$a=Get-WinEvent -MaxEvents 25 -FilterXml $ed -Debug -ComputerName ps1

# Test 2a
# Result: Get-WinEvent : No events were found that match the specified selection criteria.
$ef = @{Logname="Microsoft-Windows-PrintService/Operational";Param5=@("PS-PRN1","PS-PRN2")}
$a=Get-WinEvent -MaxEvents 25 -FilterHashtable $ef -Debug -ComputerName ps1

# Test 2b
# Query from Test 2a
# Result: Get-WinEvent : The specified query is invalid
$ed=@"
<QueryList>
<Query Id="0" Path="microsoft-windows-printservice/operational">
<Select Path="microsoft-windows-printservice/operational">
*[([EventData[Data[@Name='Param5']='System.Object[]']] or [UserData/*/Param5='System.Object[]'])]
</Select>
</Query>
</QueryList>
"@
$a=Get-WinEvent -MaxEvents 25 -FilterXml $ed -Debug -ComputerName ps1

Expected behavior

Get-WinEvent return event or list of events (which really is in the log).

Actual behavior

  1. Get-WinEvent return for 1a and 2a tests (FilterHashtable):
    Get-WinEvent : No events were found that match the specified selection criteria.
  2. Get-WinEvent return for 1b and 2b tests (FilterXml):
    Result: Get-WinEvent : The specified query is invalid
  3. If copy-paste generated filter (query) into Eventvwr.msc then Eventvwr.msc show "The specified query is invalid"

Help Get-WinEvent say that the parameter's format is *=<String[]> but the cmdlet don't process string array in this place absolutely.

Environment data

> $PSVersionTable
PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.0.10240.16384
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
BuildVersion                   10.0.10240.16384
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14915.1000
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14915.1000
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@iSazonov

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 28, 2016

I am ready to make the fix. Assign me @powershell/powershell @PowerShellTeam

@brianreitz

This comment has been minimized.

Copy link

commented Jul 15, 2019

This issue seems to be back. Get-WinEvent -FilterHashTable does not appear to support named event data fields despite the pull request.

Steps to reproduce

Based on the description of this parameter, let's create some data that we want to match. I am using the "Microsoft-Windows-Windows Defender" log, and will create a log entry for a 'malicious' threat. Here, we use a known signatured string of "amsiutils", which Windows Defender will flag and block.

PS C:\Users\brian> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.18362.145
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.145
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

PS C:\Users\brian> 'amsiutils'                                                                                                                                                   At line:1 char:1
+ 'amsiutils'
+ ~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent

Afterwards, an event will be created similar to the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
    <EventID>1116</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-07-12T19:26:20.618937800Z" />
    <EventRecordID>972</EventRecordID>
    <Correlation ActivityID="{72c595a8-b626-48e6-aa39-eae5f5598ed9}" />
    <Execution ProcessID="8168" ThreadID="8772" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer>flexo</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Product Name">%%827</Data>
    <Data Name="Product Version">4.18.1906.3</Data>
    <Data Name="Detection ID">{0A9F34E6-A5C4-493A-953A-98724D5169EF}</Data>
    <Data Name="Detection Time">2019-07-12T19:26:20.604Z</Data>
    <Data Name="Unused"></Data>
    <Data Name="Unused2"></Data>
    <Data Name="Threat ID">2147728399</Data>
    <Data Name="Threat Name">Trojan:Win32/AmsiTamper.A!ams</Data>
    <Data Name="Severity ID">5</Data>
    <Data Name="Severity Name">Severe</Data>
    <Data Name="Category ID">8</Data>
    <Data Name="Category Name">Trojan</Data>
    <Data Name="FWLink">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/AmsiTamper.A!ams&amp;threatid=2147728399&amp;enterprise=0</Data>
    <Data Name="Status Code">1</Data>
    <Data Name="Status Description"></Data>
    <Data Name="State">1</Data>
    <Data Name="Source ID">10</Data>
    <Data Name="Source Name">%%897</Data>
    <Data Name="Process Name">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
    <Data Name="Detection User">FLEXO\brian</Data>
    <Data Name="Unused3"></Data>
    <Data Name="Path">amsi:_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
    <Data Name="Origin ID">0</Data>
    <Data Name="Origin Name">%%844</Data>
    <Data Name="Execution ID">1</Data>
    <Data Name="Execution Name">%%813</Data>
    <Data Name="Type ID">0</Data>
    <Data Name="Type Name">%%822</Data>
    <Data Name="Pre Execution Status">0</Data>
    <Data Name="Action ID">9</Data>
    <Data Name="Action Name">%%887</Data>
    <Data Name="Unused4"></Data>
    <Data Name="Error Code">0x00000000</Data>
    <Data Name="Error Description">The operation completed successfully. </Data>
    <Data Name="Unused5"></Data>
    <Data Name="Post Clean Status">0</Data>
    <Data Name="Additional Actions ID">0</Data>
    <Data Name="Additional Actions String">No additional actions required</Data>
    <Data Name="Remediation User"></Data>
    <Data Name="Unused6"></Data>
    <Data Name="Security intelligence Version">AV: 1.297.951.0, AS: 1.297.951.0, NIS: 1.297.951.0</Data>
    <Data Name="Engine Version">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
  </EventData>
</Event>

If we look at the XML for this event, we can see several named data fields, such as "Threat Name", "Severity ID", "Severity Name", "Detection User", etc.
According to about_Hash_Tables, strings are a valid key type, so we should be able to use spaces in a key name to query these fields:

PS C:\Users\brian> Get-WinEvent -MaxEvents 5 -FilterHashtable @{ LogName="Microsoft-Windows-Windows Defender/Operational"; Id=1116; "Severity Name"="Severe" }
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -MaxEvents 5 -FilterHashtable @{ LogName="Microsoft-Wind ... 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

If we pick a named data field that is only one word (besides Path, which is already reserved), we still get no results.

PS C:\Users\brian> Get-WinEvent -MaxEvents 5 -FilterHashtable @{ LogName="Microsoft-Windows-Windows Defender/Operational"; Id=1116; State=1 }
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -MaxEvents 5 -FilterHashtable @{ LogName="Microsoft-Wind ... 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Checking the PowerShell tests for this, these appear to load events from a file rather than the live log. I'm not sure how this could affect things, but just in case, I export the event to a file and try again:

PS C:\Users\brian> Get-WinEvent -MaxEvents 5 -FilterHashtable @{ Path='C:\Users\brian\Documents\defender_test.evtx'; Id=1116; "Severity ID"=1 }
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -MaxEvents 5 -FilterHashtable @{ Path='C:\Users\brian\Do ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Using the Data key to search for the value we want across all fields works. However, you can't have multiple Data keys if you want to specify multiple named fields to filter against (e.g. all events where "Detected User" is "flexo\brian" and "Severity Name"="Severe").

PS C:\Users\brian> Get-WinEvent -MaxEvents 5 -FilterHashtable @{ LogName="Microsoft-Windows-Windows Defender/Operational"; Id=1116; Data="flexo\brian" }

    ProviderName: Microsoft-Windows-Windows Defender

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
7/12/2019 3:26:20 PM          1116 Warning          Windows Defender Antivirus has detected malware or other potentially unwanted software.... 

You can use FilterXPath instead of FilterHashTable and it works just fine, with multiple named fields that can be searched. Writing XPath queries are far more error-prone and less human-readable than hashtables.

PS C:\Users\brian> Get-WinEvent -MaxEvents 5 -LogName "Microsoft-Windows-Windows Defender/Operational" -FilterXPath "*[System[EventID=1116] and EventData[Data[@Name='Detection User']='flexo\brian' and Data[@Name='Severity Name']='Severe']]"

   ProviderName: Microsoft-Windows-Windows Defender

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
7/12/2019 3:26:20 PM          1116 Warning          Windows Defender Antivirus has detected malware or other potentially unwanted software....

Expected Behavior

Get-WinEvent should return the matching events from the event log.

Actual Behavior

Get-WinEvent : No events were found that match the specified selection criteria.

@iSazonov

This comment has been minimized.

Copy link
Collaborator Author

commented Jul 16, 2019

@brianreitz You report is for 5.1.18362.145 Windows PowerShell - current repository is for PowerShell Core (you can check that this works on it). Please use UserVoice or Windows 10 Feedback tool to report the issue for Windows PowerShell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.