|
I'm trying to pull security logs from a bunch of DCs to find out where an account is being used, my script is:code:I've also changed the Account Name to something I saw show up in the logs but it still returns nothing, as well as just using the $_.message -match "Account Name: username" part with nothing returned so obviously I'm using something incorrectly in there, but I'm just shamelessly stealing the end part from google searches as I'm not finding any good information on how to pipe and filter on different eventlog fields. MF_James fucked around with this message at 23:02 on May 1, 2018 |
#
?
May 1, 2018 22:59
|
|
|
|
| # ? May 15, 2024 10:27 |
|
|
Try -like or -contains E: also, I like to wrap comparisons in ()’s, but it shouldn’t be necessary Ex: ((x -eq y) -and (z -like w)) The Fool fucked around with this message at 23:04 on May 1, 2018 |
|
#
?
May 1, 2018 23:02
|
|
|
MF_James posted:I'm trying to pull security logs from a bunch of DCs to find out where an account is being used, my script is: code:code:
|
|
#
?
May 1, 2018 23:02
|
|
|
Still not working, it seems there's something wrong with this statement ($_.message -like "Account Name: username"), it's unable to match anything even if I KNOW there's something to match, so there's some sort of syntax problem. fake edit: got it with this Get-EventLog -LogName Security | ?{($_.entrytype -eq "FailureAudit") -and ($_.message -match "Account Name:\s*username")} Seems it goes out to regex which requires the \s to evaluate properly
|
|
#
?
May 1, 2018 23:10
|
|
|
MF_James posted:Still not working, it seems there's something wrong with this statement ($_.message -like "Account Name: username"), it's unable to match anything even if I KNOW there's something to match, so there's some sort of syntax problem.
|
|
#
?
May 1, 2018 23:18
|
|
|
Yeah, I assume there's more than one whitespace character there.
|
|
#
?
May 1, 2018 23:39
|
|
|
Do you have to include the Account Name: bit, or can you just match on the username?
|
|
#
?
May 2, 2018 00:51
|
|
|
MF_James posted:Yeah, I assume there's more than one whitespace character there. I guess if you know it's all ascii you can also just use format-hex.
|
|
#
?
May 2, 2018 01:11
|
|
|
I have what I hope is a silly question about Powershell vs. Powershell Core. My boss is a Mac user and asked for me to give him access to a tool we wrote using powershell that tests our web services for basic functionality. I see that Powershell Core is available for macs, so I tried running my script with pwsh and got this error: pre:Invoke-WebRequest : The format of value 'text/xml; charset=utf-8' is invalid. At C:\test.ps1:9 char:13 + $response = Invoke-WebRequest ` + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], FormatException + FullyQualifiedErrorId : System.FormatException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand code:If I changed $contentType to just "text/xml" it works fine as well. Am I being paranoid about the lack of charset information? How should I be formatting the $contentType value if I were to keep the charset?
|
|
#
?
May 10, 2018 16:31
|
|
|
Nth Doctor posted:I have what I hope is a silly question about Powershell vs. Powershell Core. Try: $contentType = "text/xml; charset=utf-8;"
|
|
#
?
May 10, 2018 17:33
|
|
|
Toshimo posted:Try: Good thought and something I didn't try earlier, but no dice: pre:pwsh ./test.ps1 Invoke-WebRequest : The format of value 'text/xml; charset=utf-8;' is invalid. At C:\test.ps1:9 char:13 + $response = Invoke-WebRequest ` + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], FormatException + FullyQualifiedErrorId : System.FormatException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
|
|
#
?
May 10, 2018 17:38
|
|
|
Nth Doctor posted:Good thought and something I didn't try earlier, but no dice: [-SkipHeaderValidation] -SkipHeaderValidation Indicates the cmdlet should add headers to the request without validation. This switch should be used for sites that require header values that do not conform to standards. Specifying this switch disables validation to allow the value to be passed unchecked. When specified, all headers are added without validation. This will disable validation for values passed to both the -Headers and -UserAgent parameters.
|
|
#
?
May 10, 2018 17:43
|
|
|
Powershell is just wrong here. "content-type: application/json;charset=UTF-8" is a correct content-type header value.
|
|
#
?
May 10, 2018 17:46
|
|
|
Toshimo posted:[-SkipHeaderValidation] That one doesn't appear to work, either.
|
|
#
?
May 10, 2018 17:47
|
|
|
Can you use Set-Content -Encoding UTF8 later on? Could you put content-type: application/json;charset=UTF-8 in the $headers array instead of using the -ContentType parameter?
|
|
#
?
May 10, 2018 17:55
|
|
|
On the second thought, wait a minute. A JSON needs to have the charset specified because JSON is an idiotic format. An XML specifies its own encoding via the declaration:code:
|
|
#
?
May 10, 2018 18:04
|
|
|
At this point it's just a nagging papercut of a problem for me since I can safely remove the charset and my testing script works fine. Changing the content type to application/json; charset... Gives me the same error. Mobile or I'd include by current snippet. The code I posted in my OP should be runnable by anyone, should you want to experiment. I switched it to httpbin.org for that purpose.
|
|
#
?
May 10, 2018 19:30
|
|
|
When I run it inside of pwsh on Ubuntu, I get a similar but different error:code:
|
|
#
?
May 10, 2018 20:07
|
|
|
anthonypants posted:When I run it inside of pwsh on Ubuntu, I get a similar but different error: Yes, I installed that today and saw a similar error but did not try the skipheader on the preview
|
|
#
?
May 10, 2018 21:17
|
|
|
Nth Doctor posted:I have what I hope is a silly question about Powershell vs. Powershell Core. This might actually be something going on with .NET variations according to this: https://github.com/PowerShell/PowerShell/issues/1919
|
|
#
?
May 10, 2018 23:41
|
|
|
Nth Doctor posted:I have what I hope is a silly question about Powershell vs. Powershell Core. This is probably because the MediaTypeHeaderValue class has separate properties for media type and character set. The ContentType parameter is less a traditional Content-Type header represented as a string and more refers specifically to the individual media type property. The constructor for the class specifies that it can be passed a string consisting of only the media type without character set.
|
|
#
?
May 11, 2018 04:15
|
|
|
I just learned that I could work with csv data with powershell. I've been doing it via Google Apps Script but it's slow and has execute time limit. I'm looking to match one csv file to another based on the ItemCode and then populate sales data if they match. My main csv looks like this: code:code:code:Revalis Enai fucked around with this message at 22:39 on May 15, 2018 |
|
#
?
May 15, 2018 19:50
|
|
|
If you're language agnostic about it, Python + Pandas may be a better choice. If you still want to use powershell, check out this blog post: http://ramblingcookiemonster.github.io/Join-Object/
|
|
#
?
May 15, 2018 19:59
|
|
|
Revalis Enai posted:I just learned that I could work with csv data with powershell. I've been doing it via Google Apps Script but it's slow and has execute time limit.
|
|
#
?
May 15, 2018 21:45
|
|
|
mystes posted:You really have the headers comma separated but the other rows tab or space separated? Sorry, they are all comma separated, I decided to space out the data to make it easier on the eyes but forgot about the headers. quote:If you're language agnostic about it, Python + Pandas may be a better choice. Thanks for the info, I did mess around with some SQL so I'm a bit familiar with joins, going to see if I can figure it out. Revalis Enai fucked around with this message at 22:38 on May 15, 2018 |
|
#
?
May 15, 2018 22:20
|
|
|
I guess do something like this (changing it based on how your files are named):code:mystes fucked around with this message at 22:57 on May 15, 2018 |
|
#
?
May 15, 2018 22:53
|
|
|
The Join-Object function worked really well. I've been messing around with SQL so this helped me better understand how joins work, and with a few adjustments I was able to get the result I was looking for. Much appreciate the help. I'm also going to explore Python since it seem to be able to do what I'm doing in Powershell and more.
|
|
#
?
May 17, 2018 19:42
|
|
|
Sorry this is a fairly basic question but for the life of me I cannot find a good example of how to update individual access rules for an ACL. I'm trying to set up a user with specific read/write/delete access for files only (essentially just removing "Create Folders / append data" and "Delete" from the Advanced permissions area. Making ruleset for basic permissions is simple enough, but what is the command to modify the FileSystemRights for the special permissions?
|
|
#
?
May 17, 2018 21:52
|
|
|
PierreTheMime posted:Sorry this is a fairly basic question but for the life of me I cannot find a good example of how to update individual access rules for an ACL. I'm trying to set up a user with specific read/write/delete access for files only (essentially just removing "Create Folders / append data" and "Delete" from the Advanced permissions area. Making ruleset for basic permissions is simple enough, but what is the command to modify the FileSystemRights for the special permissions? I'm not quite sure what you're asking, but let's assume you are defining the ACL similar to this code:Then you just need to define a FileSystemRights object with the permissions you want to give. Check the MSDN below for what is available. You may need to do this multiple time if you're granting multiple advanced permissions -- I haven't done that myself. See: FileSystemAccessRule https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx or FileSystemRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights(v=vs.110).aspx
|
|
#
?
May 17, 2018 22:41
|
|
|
I'm not sure where they got the chart for on this site, but the special permissions can be applied as literal keywords in Powershell which is far easier than the method I'd found a while back and could no longer hunt down.code:
|
|
#
?
May 18, 2018 14:39
|
|
|
PSA: Be aware of typing.
|
|
#
?
May 18, 2018 23:21
|
|
|
Using floating point for money?
|
|
#
?
May 18, 2018 23:42
|
|
|
Methanar posted:Using floating point for money?
|
|
#
?
May 18, 2018 23:55
|
|
|
Noted and fixed. In this script the floats(now decimals) are just used in a couple conditions. The actual data is all strings coming from one csv to another.
|
|
#
?
May 19, 2018 00:24
|
|
|
The Fool posted:PSA: Be aware of typing. Well yeah, it's a dynamically typed language... Also I hope you're not doing serious financial poo poo in PS...
|
|
#
?
May 20, 2018 10:22
|
|
|
I'm literally just merging two CSV's, the conditions in my screenshot are from the VSCode debugger and are watching some code that I wrote to do some sanity checks. (making sure the files selected have the expected data, follows the spec from the vendor, the data isn't obviously bad, etc) Maybe I'll think twice about posting some quirk that amuses me next time.
|
|
#
?
May 21, 2018 19:16
|
|
|
Hypothetical question: let's say a company has been blocking the use of Powershell for years, and their security team has made it their directive to keep blocking Powershell for security reasons. If someone were to argue against this blanket block, how would they argue against it? As in, what's the size of the security hole being punched in Windows endpoints by allowing users/unknown entities to run cmdlets?
|
|
#
?
May 21, 2018 21:02
|
|
|
Dirt Road Junglist posted:Hypothetical question: let's say a company has been blocking the use of Powershell for years, and their security team has made it their directive to keep blocking Powershell for security reasons. Powershell only allows you to do things you already have rights to do. Also, it essentially encapsulates .Net so to really block things you'd have to block .Net. Which of course you would never do because it's pretty much essential. Also, Powershell is becoming more and more necessary from an administrative standpoint so not using it hamstrings your ability to effectively manage things. For example, there are settings in Exchange that are only accessible via Powershell. Also, do they block VBscript, Batch/CMD, Windows Scripting Host? If not, they're only making life more difficult rather than more secure.
|
|
#
?
May 21, 2018 21:17
|
|
|
Dirt Road Junglist posted:Hypothetical question: let's say a company has been blocking the use of Powershell for years, and their security team has made it their directive to keep blocking Powershell for security reasons. If it's pointless they might as well let people who know what they're doing use powershell. And there are other ways to run powershell. Unless they are preventing use of vbscript, csc.exe, etc. and using a software restriction policy to only allow whitelisted programs, it's pretty pointless. mystes fucked around with this message at 21:29 on May 21, 2018 |
|
#
?
May 21, 2018 21:24
|
|
|
|
| # ? May 15, 2024 10:27 |
|
|
Zaepho posted:Powershell only allows you to do things you already have rights to do. Also, it essentially encapsulates .Net so to really block things you'd have to block .Net. Which of course you would never do because it's pretty much essential. This. If PowerShell lets someone do a thing they should not have permissions to do, it's not PowerShell that's at fault. The permissions on the affected thing were set up were wrong to begin with. (Also, fun fact: A base installation of the .NET framework includes a full functioning C# compiler, C:\Windows\Microsoft.NET\Framework\version\csc.exe. Anyone who can create files and run arbitrary programs can use that to compile their own code and do anything PS could be used for.)
|
|
#
?
May 21, 2018 21:30
|
|
