CVE-2020-1472 Event Reader v1.1 8/27/2020

This script will:

1. Scan system evtx in input file folder for event 5827, 5828,5829,5830 and 5831, exact data fields, export to 582#-*.CSV.

2. Calls Excel to import resulting 582#-.CSV, create pivot tables for common secure RPC analysis scenarios. Delete 582#-.CSV afterward.

Feel free to modify to fit your need.

Script tries best effort match to help admin, feel free to modify.

Script requires Excel 2013 or later.

64 bits Excel will allow creation of larger data import to XLS.

To use the script:

1. Save system log as system.evtx to file.

2. Follow on screen prompt to enter Path containing *.evtx and final xlsx.

More info https://support.microsoft.com/en-us/kb/4557222

Change log > 1.1

Switch Get-WinEvent over to FilterXPath for faster search

Added script knob for LookbackDays for schduled review of progress in script

Added %GrandTotal in Excel Pivot to help setting priority.

Added script knobs for enable/disable ColorScale and DataBar

Added $mcLookbackDays, $mcScriptPrompts, $mcServerEvents and $mcEvtPath for remote deployment to send data back to central share.

Script variables block, modify to fit your need

$mcStartTime = '2020/05/10 06:06' # TimeStamp to start searching for 5827-5831, in the form of 'yyyy/MM/dd HH:mm', where 1pm is 13, example: '2020/05/26 13:06' will list events starting 2020/05/26 1:06 PM, use it to measure progress. $mcLookbackDays = 0 # When set to 0, script will use $mcStartTime. When set to a positive number, script will start search events in last x days. For examle: 1 will search events in last 24 hours. $mcScriptPrompts = $true # Script default, $false for non-interactive mode, intended for schduled jobs or right click, run with Powershell. $mcCSVImport = $true # Set to $false for generating Evtx only, intended for saving Evtx from server's event service. $mcServerEvents = $false # Generate related events from Local Server (LocalHost), intented for generating smaller EVTX & CSV for later processing (on another machine) instead of entire EVTX (when use in combo with $mcCSVImport) $mcEvtPath = "" # Default report path when $mcScriptPrompts=false, set to "" for script path. #Performace related knobs $mcMaxThreads = 4 # Max concurrent Evtx to CSV export threads (jobs), hight number might hit File/IO bottleneck since all files are in one directory. $mcMaxExport = 1000 # 1000 Max events to export per each EVTX, modify this if we are getting Excel memory error (or we just need first few evt for samples) $mcMaxImport = 1000 # 1000 max events to import into excel, ##NOTE##: Once maxed out, Excel will finish current import file and stop future import(s), since import is single threaded, import might take a long time if set to high number. $mcColorScale = $true # Set to false to disable column ColorScale = speed up excel import & reduce memory requirement $mcDataBar = $true # Set to false to disable column DataBar = speed up excel import & reduce memory requirement (Note: DataBar is somewhat buggy compare to ColorScale on import, best to do it manually afterward if needed.)

#--Default for remote Evtx collection-------------------------------------------------------

$mcLookbackDays = 0

$mcEvtPath = ""

$mcScriptPrompts = $mcCSVImport = $false

$mcServerEvents = $true

#--Default for local non-inteactive report generation.--------------------------------------

$mcLookbackDays = 0

$mcEvtPath = ""

$mcScriptPrompts = $mcServerEvents = $false

$mcCSVImport = $true