-
Notifications
You must be signed in to change notification settings - Fork 36
/
Find-WinExeStart
36 lines (26 loc) · 936 Bytes
/
Find-WinExeStart
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Function Find-WinExeStart {
<#
.SYNOPSIS
PoC function that uses Get-Eventlog to match default signature of WinExec.
Function: Find-WinExeStart
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.EXAMPLE
Find-WinexeStart
.LINK
http://www.obscuresec.com/
#>
$ServiceStarted = (Get-Eventlog -LogName "system" | Where-Object {$_.EventID -eq 7045} | Where-Object {$_.Message -like "*winexesvc*"})
$ServiceStarted | Foreach-Object {
$UserName = $_.UserName
$Time = $_.TimeGenerated
$Hostname = $_.MachineName
$ObjectProps = @{'Hostname' = $Hostname;
'UserName' = $UserName;
'Time' = $Time;}
$Results = New-Object -TypeName PSObject -Property $ObjectProps
Write-Output $Results
}
}