Skip to content

Instantly share code, notes, and snippets.

@watson0x90

watson0x90/WindowsSecurityEventHTTPQuery.ps1

Last active March 7, 2016 15:30
Show Gist options
  • Save watson0x90/f04aba16c41f028dcff5 to your computer and use it in GitHub Desktop.
Save watson0x90/f04aba16c41f028dcff5 to your computer and use it in GitHub Desktop.
Download ZIP
Query Windows Security Event Log via PowerShell HTTP Server
Raw
WindowsSecurityEventHTTPQuery.ps1
#requires -Version 2
$header = @"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html><head><title>Windows Event Logs</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style type="text/css">
<!-
/* Begin Tab Def */
.tabs {
width: 100%;
overflow: auto
}
.tabs li.tab {
float: none;
display: inline;
}
.tabs input[type="radio"] {
display: none;
}
.tabs .tab>label {
padding: 8px 1em;
border-radius: 5px 5px 0 0;
border: 1px solid #ddd;
border-bottom: none;
cursor: pointer;
z-index: 3;
background-color: #eee;
}
.tabs .tab-content {
z-index: 2;
display: none;
float: left;
padding: 1em;
left: 0;
border: 1px solid #ddd;
margin-top: 10px;
width: 95%;
}
.tabs [id^="tab"]:checked + label {
background-color: #fff;
border-bottom: 3px solid #fff;
}
.tabs [id^="tab"]:checked ~ [id^="tab-content"] {
display: block;
}
/* End Tab Def */
iframe {
border: 0;
width: 100%;
height: 100%;
}
body {
font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
}
#report { width: 835px; }
table{
border-collapse: collapse;
border: none;
font: 10pt Verdana, Geneva, Arial, Helvetica, sans-serif;
color: black;
margin-bottom: 10px;
border: 1px solid black;
}
table td{
font-size: 12px;
padding-left: 3px;
padding-right: 5px;
text-align: left;
border: 1px solid;
border-color: #3C3C3C;
}
table th {
font-size: 12px;
font-weight: bold;
padding-left: 0px;
padding-right: 20px;
text-align: left;
border: 1px solid;
border-color: #3C3C3C;
background-color: #4CAF50;
color: white;
}
h2{ clear: both; font-size: 130%;color:#354B5E; }
h3{
clear: both;
font-size: 75%;
margin-left: 20px;
margin-top: 30px;
color:#475F77;
}
p{ margin-left: 20px; font-size: 12px; }
table.list{ float: left; }
table.list td:nth-child(1){
font-weight: bold;
border-right: 1px grey solid;
text-align: right;
}
ul.menu {
list-style-type: none;
margin: 0;
padding: 0;
overflow: hidden;
background-color: #333;
}
li.menu {
float: left;
}
li.menu a.menu {
display: block;
color: white;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
li.menu a:hover:not(.active).menu {
background-color: #111;
}
#active {
background-color: #4CAF50;
}
#stop {
background-color: #f44336;
}
.warning {
border: 1px solid;
margin: 10px 0px;
padding:15px 10px 15px 50px;
background-repeat: no-repeat;
background-position: 10px center;
color: #9F6000;
background-size: 35px 35px;
background-color: #FEEFB3;
background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9gLFRMUO6NrgQYAAAAGYktHRAD/AP8A/6C9p5MAAB9DSURBVHja7V0HWFRX2rYmRmOJYkAsKNhLrJtN4v7upmz845pNUXdjNpqwm02xxLIRxdh7RYkiFprEgrqJHQvSQZHey9C7nSJI9+z57j3ncu8wzMwtg4Bzn+d98EGYuXPf97zfd77znUObNsbLeBkv42W8jJfxMl7Gy3g9B1dbHTBerYTkdhjtMTpgdMR4AeNFjE4YLzWCTuRnXiC/04G8RjujOFoG2R0JgZ0xuroddR/j6+c3PTYu3jYhMWl7XHzCjsys7CCCYDUw34efgZ+F34HfhdeA1yKv+SJ5D6MomgHplHAYtS+7uLq9Fh4ROT81Lf1kRmZWcEHhHaQk4DXhteE94L3gPcl7U0EYxdCEpHdeYWs7IPjmrS9UqWknc3LzcpQmXBfgPeG94R5WrLAdQBzCKAYDXO1ILIbR1j0o+OactPQMT3GEFRLgfxfc4X0tFP5cQSHKJ9+Hr/nq/89DPvOz9cDu4BkYFDwH7pHcawdy78ZLBvHMaD/i5Dw2Lj5+R15+QbGskQtkcWKoJ7uAIZuQWlioRi77/QLev7UhNy+/GOcPOw4fcRrLcwWjECQQ3+WA48FxKapUD6mEF+amogcJ51FRuAMqDbRlUHX+HVR5/m3mK/vvd7jvAZifC7BFRWEO6H78OVSQk1pPcD4lugDlcd8r4P4/Lx9QwCEpOcXD4cCBcfBZjELQL8bLIh7IBgIrPD9GtR5DEXLtLA4uLJ46EzgBuqBatz7oycWPUYmfLboXd76ecE4UBawo1ASgRQjGHEFDcvfSwoULB4khHkY4jG4gXDTZ2ojnkf/0CIu6wwSHWJSf+wQ9CnFA+VmqRokH5OZR5KPEpGSP+QsWDCI1B2OySCwR5tY9IiIjV+sb4xUhnUe8plHfgHge+XUHX2ZQ68ii7OzH6CEWQy4lnSCPEM9Hdk5ucWhY+Gr4zOSzt3teRz1kyV1OnTr9dlZ2Trwu0u9mRDD2XnfMTD7xrrqJ1zTq6w52ERBfe4DAgUX1YXNU5L0S5WemYCHkEwEQQfBEkJObj9LSM+NPnPB4m4SFDs+TG7QlpdbuYeERq/EDKdFF/JPrc5UhXaLdNyBeA/k1+7uy2Mei9PxcVKAKIwLgk5/HISs7uyTkduhqMnV84XkQAdhdp+/nzbNUpaZd1RXfy3wXKE68XLtvlHge+TU/s6i274oeea1EeZnJag6QJwDODa5+9913lqR+0K61jnpIerocP37inZyc3Fxt5JeEbFXO6iXbvXbiNY16SnyNPUt+9d5uDCr390UPgnCOgK2fAQkDQH52Dov0jMxct6Pu75KQ0KoSRBrvu3rd8LbWZvn3Vb6o+r+TWpzdNyDevhtHfvUeArtu6PEv76H8lDDe6GeSQg4ZmVklfv4Bi/Cz6tZa8gI6t+/uHxC4RNuoL8ajvqXbPX/U84mvAuxmUWnfDz3w3iYIAXwRALy9fZaQvKBF1wxosvdKZGSUXeOxXsVU4lqL3XPE7yHEc+R3R1W7CHZ2RyUnP0W5GUkCEWRlU+QgnBzawbNrqckhJb8nTnBOa1pIgfr7fZWPtIpdC7B7/qjnE18J2MGi3GEkKoj1JnlALhFBDoeY2LjT8Axbmgio7ffEH8BZQDxvRQ6KOXW/mLVqu+eI30WI55FfuZ1FhV1/dOemuyAE8EWAp8rORAQtIhzQhK+Ht4/Pjw2XZNkVOSC/ye3+tCmq+80cPb1uxaHumhquWqHaE2ao1rmnonavifjK7T1QxTaCrT3QXT8HlMUJIBdlZuUQZKMrV6/9SCqHzV4EQH43P3//pQ1GPllqVYR8Pez+6VlMtu9Q9DRqAkJP0iXh6e2xqPbCIFTj2rtRu6/S0+4F5POIZ7CFxV3f/YI8AMinuH7daylvdtAsL5i7vnzw0OGp/Kkejff5pIZvULs/Y4qeBo5AT5PekEx6o2KI/R2q9RyMqg/1kmz3jREPeLIZ8Aq6g0WQrUEEGZnZ6Od9+/+/DduK1r45Vvg6//3vn41Qn+fTZgqlyNdI/MX+ska6WNT5jkTVjr0k272A/M2E/E2vsNiIReBT7wQZhHxAalpGyYwZM0eSRpN2zSnuw6qWaWpaWoi69ecXyBz52uweRnwTEq+OWp+RqOqAiSS7b0A8IZ/BBioC7ACMC2RBkYhBXHxCCH7WZuSZN4t8gMn4b4eG2TfsmbuD7qX4SMv2tdm9azf09NboZ0a8IDTgcFPzm6Uku9dEfDlg/SuobKsFyo30IgLI5gQACAgMsufNDJ553O+KY9M0IfmsAApzVNJq+rrivAFivOywcGscqrTrqYfdayB+IyGekF++vicqX9cTlW2xQFmqBGY2ACEgPSOLw+7ddtPasPsV2j9L63/ps89mj8BWladOPgB67OTbfZd68r2smh3xAjdIfANVOpqJtnt14hmsxQLAKHJ8n5cIAvmZDJJTUvJmzZo1gnQXtX1W1m9y81bIPvVWaeiVg+YNJYs5kN03Z/L5Iqg+MVCU3QuIX8cSz2ANi7tnV5JEkDoAKwJfX799wMGzCAWQgb68zMZmiqYe+XvJPooVc6CI01LI5wNEIMbu+aOeEl+2GtCLQU6EFzcbSEvP5LB4ydIpZGrYrqmz/j4pqtRQ9ZbpvIIC/ZZ0ddl9Cyafour4QFF2zxG/pp74slW90GOMIru3uCQQXIAVQAaKjokNBS6aclYASUd3FxfXL4Qjn+2Ph556pWr3LZl8iop9ZqLsnhv1hPjHPxGs7IXu/LoSpYMAMjM5AQAcDx76giwft2+q0d83KTkljC8AaI0uTAuTbfccLvRv8eTTnKB8ay9Rdv9YA/mA0rUDUVbsLUYAkAOkpmUwiIyKCQNOmsIFmNHv5OQ8p8G2KCyA8mtzZNk9t1p33KRZTvUkF4yCx4mye3XiH9sCTFDpChN0z8WamwrC6KcicDjgOMfQLiAY/XQzBN0ZA9uoZC3V8tbon2V1z2D5gIeVKLvnk19KyGew3ATlBP/KOAArgHQGkZFRBncBbvTzd77kEyE0mPNLXKOHZdrWRj4XCnaY6m33moineLh3KkrLoGEgHalSWTg4GM4FaIePeXh4xAX17U+C0S/W7nmdOXVO3VqV9TeYGl4dJcruG5BvY4JKAMtMUFbodS4EUAEEBgVfAI4M0UEEc8yuPyxa9Lam/W9M7Jdo9/zOnLqAEa2WfIrybWai7F6d+JJlvVHJj73RXSdrVgDpVABpDL6fN+9tUiJup3TV79UrV6/uUCefyfyVaMk60q3Vk8+4wJXRouy+nvzeHPkM/tMbZUbfRGlpGSQMsAI4e+7cDuBKyepgW1JvtsQxJz+Xv+ERC6DEf4Uku1dvxISWrOdBAICyLWai7F6deEDx0t6owGMlEwLSsABSVGkMYuMS8oErJdcIIKHosX7DxhmCna5k63PNiSGS7F69EfNp3O+eGwFUHhssyu755BcT8gEP14zlZgEQBqgIVq1aPYP0ECqSDEJC0eeGt8+hegGw5N9J9lakA7fWvfdzQz5TF7g9UbTd84kvXvIqh8yQqyQRBPJTGVy67HmIlIdfUMr+rfDcX1U/+tmtz6U35ivSd193Y+hzJQDA401mouy+AfmLX0VFGAWuPyAV5wCsACIio1TAmRJhADLJblOmTHmrfkNjfRioOTZUkt2rb7h4GjnhuRPAEydLUXavTnzRIhYPVo3lZgFg/8kpqQwmT/7DW6SLWNZsAFqQezs7uy6lu1kBsMP1TpK3xA0XarttHLs/d+Qzs4HLo0XbvTr5RT+wSI8MQiqVUAAHDjhCG3lvuW3kUFbs5+cf4MGRD06A8ShoiyLbrGqhZew5FEBtyETRdq9OfNFCUwa5Z7ZwOQCO1AyuXr3mAdwRDiXHf2g/HpKQmKTiCwAcoPzcR5LsXrDTBqPOc/BzKQCAWLvniP+BJf4RYIEpKtwzi8T/NJSUrGIQFh4JecAQwmFbyfEf4zX1Ey2Y+O/SR7zda9hmVduCBAD1/Nqg8ag2kIXc1ytd10e03fOJZzDfFN23HccKILVeAADgTk4eAHPIXitsbWfzT7KAXCBfFarYrtq622PldeOGT0A1V4ajmvNDUO2NkehpjPL1hNrQiajisIXGEm6FiyWqi3pdWkFo9wDRds8RT8hnMM8UqeKi2RCQnEoEkIKW/ufH2cCh1HoAlBLNHB0P2tTvXGUd4G70WUl2r2lXbV2INAEA2ZU/99bYd195pC+qvTlOoQWc0bpr92teRdWe4vcpPN5lIdru1Yl/CPjeDKX7nOFyACAfsHevvQ3ZRNJRagLY39PzijMVABMCsAiKvFdIsntN26mlCKD65MB64rX03ddcH2UY8hup4okVweOdFqLtXhP5gJyjK9kZAB79iUkpDH797SxsLe8vJRHk6v+BQcFX+ALIxii5Ok/2IQp0V61YAQjI17K/jkKqCOqiXxe9VFu66lVR4QAEIMXu+cQ//I5F3qGFjACSeAK4dv3GFanrAm3JaVXDIqOio+lGRSYPyM1F5afekWT3mnbV1oXob9W1/mPEb7PaaoLJFJ8XVLhaSlqqfXJE/0WtxzssJNk9n/iH37Io3PQBmQKmEgEko6DgW9HAIeGyrej1f4zR4RFRMfS0iuxcVgBlHu9KsnvBdmqyq1aMACoPmEnaZgXtWKLjs9Sl2pWm4gQgwe755D8AfIMFsPEDUgRSMeQDAgKDY4BDKf0B7Uhr0bjUtPTHnABIKJBq95oOUai5OES/KRjO7nXZfWMbLp7sNBWXYOIpnn5Ltb01FnPqIvULA8XL+kiyezrqgXgWfdD9BUMY+4ccICExmUF0TNxj4JBw2U7sFBBOqJrEP6+GOb4EBCDR7jUdogA7a/WKyTirl7PNSqwA5CzV1vjrVyOQavcP+OT/uw+Lr/tw2T8VAAA4JFy2FysA2H78e/aUChbsGTY5ku1e0yEKVS7m+pECAtBKvPa+e0nLtRKXap8m6O5rrPabINnu1YkH3P+XugCSGACHhEvRAoACwpv0oCIAPcFKqt1rPD3Drqf+ApCxv050lW71q3rZvXrtvmSNfoKuODNKst1rIh+QmMxm/5T8+ARGAG9KKQZ1ILtO3+QfVMTMBrADKHVEGj1EAap5ei2hbuslaZsVVPGkLNdKWaqtODFcvwTQzlKW3fOJv/9PFkz2j0UAxFMQAZiIXRWkAnhLKAA2F5Bq942dnlHjqd9Dqzo2UC+7V++7h4KO6Lo/tvGSn0xFLdUW25jpZf9M/F/aR5bdC8k3R/etzRn71yCAt+QI4M1M3iFFWVlEAFLtvpHTM2B6p/fmii0movbXPdknfY9htddYvZdqgfzaW5P0E/LVsbLtno56IB5w7ytzrgBUL4BEyQ7A5QCUfNiWnEkFYIAj0ur0XMSpC52Iyjeb6LXNqny3ud4jsjHUBIxHJbamWhdtSlaZ600+Y//7h8i2e0o8JZ8KIIERQCKKi2chNQfgZgERkdGZdF86IwCMMufXJdt9Y7X7qtP6F2sYEahvs1LbaQMjXy75/HBQcXI4k+DxyS/d2A9VHB8u6n3q4t9QxO75xN/70hwV2EzB5CczAqDkBwbdzJQzC2DqACG3Q+M4AWSzuUCp+3uKn433ZHsvxuLFLtZAgle2oTdDftlWM6aEq8RavVYSI1+X3gvoPkKi3WsgnpAPyF81jZv7UwH4+PrHSa0DcJXA26FhsXQ7MoQCEEDJiU9kn4ipaU5ffbZ1dwfD6H+0yFwRu6fE35sL6IvyNv2NIR9iPxWAr19ArNRKILcW4HHq9El6MBEbBrLR/csrZNl9o8WcrSaiXaBFdQIfHaGI3fOJvzuHRebhlTwBJDBwO+p+UupaALca6Op29DA9lSoDCyETu8Adv33y7F5LMUfKwo3c+N4kTaARrytm9+rk3/2iL0rzsEcJZPTHxiUwOHjw8GGpq4FcP4DN8uU2VADUBXKjrit2IqamYk5t0LimsWQcy0vW9mkSERRvHKSY3fOJZ/CPvijF9xIWQLJAAIuXLLWRs0+Q6QgaOXLUp/xjyWhCKNvutRRzyrebNkkooC1Z0JhhUOv3GK2o3auTD4iH0i9GHCEfMHz4iE+ldgRxPYEYf8LzyzJ6KhWTDGIUu7wn2+61FXMq3SwNSkrVpTGCOX3lf0ca5H1qgicpbvd84u983hfl2v6FEwBLfjxsDysD7uT0BNJi0O99fP1C6ZFkNBQ8+HW+InavrZhTdWaYweJ+8XIzQTFHTCVPTNx/uKCv4nZfT34/Bpl7fuCKPzGx8QwuXb4SSmoAkruCuX0Bh484udDjSMAJwAXyA10VsXuthyVhwIEKiu/P/3mQxkbM0g39FZ3yFf1kYRC7h1HPkD+bheqsM4pLYEc/FcC+fQ4ucvcFcDuD5s79chE9joyGAXABpexe12FJUlquGy0eXR+rtRGz3FmZWkTJdiuD2D0d9ZR8AIz8eJL8UQHM/vwfi+TuDOL2BmK8j+eY5ankOBLmiDKMR26fKGb3mvvuTbjOHCVEwFg/tnpdjZjVvvJ3KxevH2QQu+cTD8he93eu8EPJDwuPLAfO5O4N5HYHw5Lipcue/vQ0CiYfwAIo8PpZUbvX1ohZvle+PZfZD9Kr777Yti9j4bIFYAC7V0fqCXve6I+DPkB05r+/+pNlYNm7g7k8YLed3X56HBnNBTKSYhW3+8Y6cOUKoPra2Mb77jW0ZJXuljcLKV5naRC7V0d8RBg3+oF8wJYt2/bLjf8NTggZNmzYZ1QAgDSSEzx0+VRxu9fUiFm2Z4C8jBxn+DV+EzhAT16dAQtAxWstFbd7dWRt/SdX+KHkA4YMGfqZUieEcGcEYfzx/IVLgfQ4MiYc4FCQ5+equN1zO214LVml6/u0qLp/ERaA0navjmTPk0QA9aP/1OkzgcCVUmcEcaeEwarSqtWrd1IBwF70VHJWbenOUYrafWONmC1OAArbPR/5301EsfFQ9MH2zxv9NstX7CQrgIqdEsatC2BMj4yMvk+PI2PzgXSUd+1nRe2+sUbMFnUWoPNIRe2+YfK3lyWfxP6o6FgUFHzzPnCk9DmB3EmhkFnu2+dwrF4AacwJVWmJMah0o4Vidt9YI2bLEsAoRe1effTTmj8lH7Brl90xkv0relIovz9gxODBQ+bGxSeU0yPJqAgKf12hqN037MBtYQJwGqWY3atDxYx+tuhDyb8dGl5uZWU1FzgyxFnB3GnhsMDg5Oxyjp5GxYoAu0BCNCreOloxu9fUft3iBKCQ3TeI/WTBhz/6HQ44niOLPwY5LZz7ewHQYWJlNfgrfAPl9SJgw0HuFXvF7F69AxfQogRwZJQidt/o6I8Rjn5LS8uvSPePwf5qCPcXQzDePuLkfJ5uR2ZcAESA8cD+z4rYvab265YmACXsno+c5dNQLLZ99dG/38HxPHDSFH83iOcCVtasC7AnUlEnyAjxVMTuNa3W6erGrbk5ianjU+hsCLEfgoo3DGJQdlD70nOV9wTBtA6SPK2vzQhAGeIpErwvMgKIjo0TjP5BlpbWhh79Gl1gz177k/xjyZjZARZC/qkVsu2eI55Xu4cKntYVuC0DBbttdAmAv1oHtXutArgxQTCtgxivVQCHRylKftoBW0y+MPEDbN+x82RTjX51FxiFMSsw6GYuPZYsCY4ogdkBFsHD7W/KsntNizbVugSweaBgw4UuAfCXaqF2r10AEwVzel0CqPKaqBj5eYv/SFb6hNO+G96+ucAB4aJJ/m6g4C+HYvzh66//vY3uS4etSXBCRQoWQvotT1T00yDJdq9pqVYvAfA2XOgUAG+pVh8B8Kd1TSWAQuvhKOHGBRSjNucHfPWV9TbgoKn/cij3t4NJw8F0d/dfvOnGRACbE6hQ9kV7yXavaalWV1wv2TRQ0HevWwD1S7VQutX18/w5fem+EU0iANWJPYJqHwWeinuTqt+Qpv7bwfzqIOw6nYDxj4DAoDxOBMlEBMmpqPDQl5LsXtNSrV4C4LVe67NiR1frHi4fqFsAvGndo5VWBhdAht1CrskjOrpeAF43fPLgmZNn/0z+ejh/jQC6TqZ89NHH6/DNPaEnVFEnANzb9b4iJ2LqEkDZoWGCDlxdTR3qK3a6BMCf1j3UIYCKi+NlkZ+99m/15PNGf8jtsCfTP/zrOnjm5Nm/1JTWrykh7EpsaNqaNWvd+QcUceEgNhLd3zRZlN1T4h/x9tHrEkC520hBB261t/afL1pjKVit0y2AeoIe2lo1OvKL1g+RnfTFht1mij38kQ+wXfmTOzxr8sy7NlXipysU9CQdKLM8Tp0JEYqAFQKI4N7GyZKPQoXMvsimH6o8N0anAGh2r5cAeFM7nQKYrVkAdXFvojL3Meje9xaybT938RQUA+ST9i4++ceOnwghWf9r5Jl3bNMMLjorgA0Ir2PM9Q8IzOMfVAQiSAIRxGARbJgs60RMiPGPlvVDFWdfa2Dx5a4jBY2YOgWw2kqwWidGAA+WDEJPTo+VPdqF5MPID0HRGpK+S5c8U/GznUOesWlTZ/36zAo6k21IUywsLBb6+Qfk88+qSaB5ARbB3fWTddq9PocowKYLqOZVeY6rFwCvEVOXAB5RAXwhXgBKI48b+Q3J97rhnT9gwIAF+Nn+H3nGnZ9F1q9PPvAyaUZ4t/+AAUtu3rr9SCCCRNYNEmMi0N21k2Wfjce3+wfz+qKHSwYIGjGrdAlglZVgxU7QQxj2eyaeQ0UPRvld6/4GIx9sP7YR2w8ICHrUv3//xfBMMQaRZ9y+TTO9OpBOVEhQpk6f/uGmiMjoJ/wzaxJISID8IH/fVwY5LImb2tkMZOL8Y4fhTO0eijd83J9vIVitg8weYMiRro7MrdaCli4++ZDxT5v2l03wLMkz7Sa3zbsp8oGOpB9tOMZf8LU1PCLqCRUAs4uFhAQQQebJTQY5M8dQjZhKItV5I5Ppx6gRT8n/4INpW+EZkmfZg5Dftk0zv9ryZgYjoVrVr18/G28fvwKhCBK5mUKK/2V0b9k4ve1eP+L1bMR8BsRDU0eC1wV25Mc2JP+6142CvviZkUrfSF7G3+zJV+8g6klalD7AcWypj69/Pj2+BJoaGDFgIcC25oSocJTjuECy3RuyA1dJpNstQDGhIRotnyXfO79fv/7wN/8+IM+up6E6fJpKBHBC1VCMP+NMdtEvx46Hx/IOMaBCoFNG1TUPdHfp+FZn9zDqEy+eEGzgUCf/qPsv4fg5fQvPijyzV1oq+erhAJYqB5N1639u3LT5glAE8eRgo0RuxpDptALdmzekxdt9gfUwlOawoj7Ri25IPGD9ho0X8LOxJn19VuSZdWzJ5PNFQGcHA0nb8ufvT526Oyj45iNa76aAdmcmLECOEBmGcnZZt1i7z9xizdl9FIOGxPvjad7770/djZ/JbPJsLEiJt0NrIJ8vgvbktKq+ZBXrY5wcLnN3PxahLgJ+aICdr4k3fVHWvoXo7jdDm73dw4iHOB8X4I2Jj+WgadS7HXWPgGcAz4I8E3PyjNq3JvLVK4adyLZlSHDeg5Dw7bffHQ0IDC5iBVAfI+vFkIhiIWGMCEPpRzehwoUTmh3xEONVMK3jJXia4jw76gOLvvnm26Pw2ckzGEGeSafmWOEzVHLYnYSENzBmwlRx1247b/7DEwgBQI9Aw/lCovdFlLl3ISqYN+GZ2T2QDqM93us8G9uZ+41tlHjAzp27vfv2ZaZ4M8lnH0iexQutddRrywu6kEWk0WQkzB0/YcJmNzf3SHURwMOjYuCHCQB0y6Y72qKcFdMMTjq0ZsNIB9Kjonn3xyR4sY0S7+p2NHL8+Amb4TOSzzqafPYurS3eiw0JL5IqFyQ/E0nl61/jx4/fioUQ1dgDZcVAwwQL1imwO9y4gNKcN6GMPQsZwmCkShnd8LswwlOO7WFHOY9sCm2jnRAfNQ5/FvhM5LNNJJ+1B/ns7do85xdNEKGzpReZAsGS54fw0PDD2wKj51ZIaIU2MTCCoA4RJ0wq2RU29ivMxRMvnkRJl/DXS/gr/jd8L+nSSeb70bENQ5AA0doJB8C9wj3DvRPiPySfyYp8xpdac6Int2bQhSREVAhQDrU2NzdftWbtustXr3nd0UUAXxT8PIJLMPmJJkE076uuJK4xwL3BPcK9kjn9dB7xvcln62gkXndYUBfCJLIi9jnGgnffe8/ewcHxlr5iMCTgHuBe4J7g3sg9TiX3rE58OyO94oXQmdgmxM0xbdhmyI8wvsRYOG7c+G1Llv7nNxcXt2g//8BiQxMO7wHvBe8J7w33QO7lI3JvY8i99iL3biReASF0IHPk7iRzhpE1jjxwSKzgUKR/YywGUmbMnOm8fcdOXyDq7LkLWdryB21xHH4XXgNeC16TEL6YvNdn5L2nkHuxIvfWndxrByPxhkkWqStAFm1K5tGwZPo7UkefRubY0D/3NcZ8jCUYMPdeOWvW3w7PnDnLacbMWc5AKotZzvA9+D/4GfKzS8jvfk1eayZ57T+R9xpJ3tuU3Asd7cbkronFAKPtZbJsakbsdyix4kmkvv4nssIGBP4V4xMMOEp9BsGn5Ht/JT/zZ/I7b5HXGENe04K8R0/ynp2MpDcPMbTjCeJFMhphQQWWU00IabAGMaAN21dnRVYn+bAi/zeA/KwZ+d1XyGt1Jq9NCW9nJL1liKIDIe0FQmAnMg/XhE7kZ14gv9PBSHbrFIc2GC/jZbyMl/EyXsbLeLX6638BRJsGC/4ATwAAAABJRU5ErkJggg==');
}
.button {
background-color: #4CAF50; /* Green */
border: none;
color: white;
padding: 10px 13px;
text-align: center;
text-decoration: none;
display: inline-block;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
}
.button1 {background-color: #4CAF50;} /* Green */
.button1 {border-radius: 2px;}
.button2 {background-color: #008CBA;} /* Blue */
.button2 {border-radius: 2px;}
.button3 {background-color: #f44336;} /* Red */
.button3 {border-radius: 2px;}
.button4 {background-color: #e7e7e7; color: black;} /* Gray */
.button4 {border-radius: 2px;}
.button5 {background-color: #555555;} /* Black */
.button5 {border-radius: 2px;}
table.list td:nth-child(2){ padding-left: 7px; }
table tr:nth-child(even) td:nth-child(even){ background: #BBBBBB; }
table tr:nth-child(odd) td:nth-child(odd){ background: #F2F2F2; }
table tr:nth-child(even) td:nth-child(odd){ background: #DDDDDD; }
table tr:nth-child(odd) td:nth-child(even){ background: #E5E5E5; }
div.column { width: 320px; float: left; }
div.first{ padding-right: 20px; border-right: 1px grey solid; }
div.second{ margin-left: 30px; }
table{ margin-left: 20px; }
->
</style>
</head>
"@
$secEventIDExpln = @"
<h2>Security Events</h2>
<table>
<tr>
<th>EventID</th>
<th>Event log</th>
<th>Description</th>
</tr>
<tr>
<td>4740</td>
<td>Security</td>
<td>Account Lockouts</td>
</tr>
<tr>
<td>4728,4732,4756</td>
<td>Security</td>
<td>User Added to Privileged Group</td>
</tr>
<tr>
<td>4735</td>
<td>Security</td>
<td>Security-Enabled group Modification</td>
</tr>
<tr>
<td>4624</td>
<td>Security</td>
<td>Successful User Account Login</td>
</tr>
<tr>
<td>4625</td>
<td>Security</td>
<td>Failed User Account Login </td>
</tr>
<tr>
<td>4648</td>
<td>Security</td>
<td>Account Login with Explicit Credentials </td>
</tr>
</table>
"@
$hostname = $env:COMPUTERNAME
$pthXMLQueryLocal = @"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(Level=4 or Level=0) and (EventID=4624 or EventID=4625)]]
and
*[EventData[Data[@Name='LogonType'] and (Data='3')]]
and
*[EventData[Data[@Name='AuthenticationPackageName'] = 'NTLM']]
and
*[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
and
*[EventData[Data[@Name='TargetDomainName'] != '$hostname']]
</Select>
</Query>
</QueryList>
"@
$remoteDesktopLogon = @"
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">
<!-- Collects Logon and Logoffs of RDP -->
<!-- Remote Desktop Protocol Connections -->
*[System[(Level=4 or Level=0) and (EventID=4624 or EventID=4634)]]
and
*[EventData[Data[@Name='LogonType']='10')]]
and
(*[EventData[Data[5]='10')]]
or
*[EventData[Data[@Name='AuthenticationPackageName'] = 'Negotiate']])
</Select>
</Query>
</QueryList>
"@
$noResults = @"
<p class="warning"> No events were found that match the specified selection criteria. </p>
"@
function Invoke-DetectPTHL
{
$winraw = Get-WinEvent -FilterXml $pthXMLQueryLocal
if($winraw)
{
$justData = $winraw | Select-Object -Property Id, RecordId, LogName, ProcessId, ThreadId, MachineName, TimeCreated, TaskDisplayName, Message
$format = $justData | ConvertTo-Html -Head $header
}
else
{
$format = $null | ConvertTo-Html -Head $header -Body $noResults
}
return $format
}
function Invoke-DetectRemoteLogon
{
$winraw = Get-WinEvent -FilterXml $remoteDesktopLogon
if($winraw)
{
$format = $winraw | ConvertTo-Html -Head $header
}
else
{
$format = $null | ConvertTo-Html -Head $header -Body $noResults
}
return $format
}
$bodyExplain = @"
<ul class="menu">
<li class="menu"><a class="menu" href="/query">Query</a></li>
<li class="menu"><a class="menu" id="active" href="/secevt">Security Event Logs</a></li>
<ul class="menu" style="float:right;list-style-type:none;">
<li class="menu"><a class="menu" id="stop" href="/StopServer">Stop Server</a></li>
</ul>
</ul>
$secEventIDExpln
"@
$bodyExplainQuery = @"
<ul class="menu">
<li class="menu"><a class="menu" id="active" href="/query">Query</a></li>
<li class="menu"><a class="menu" href="/secevt">Security Event Logs</a></li>
<ul class="menu" style="float:right;list-style-type:none;">
<li class="menu" ><a class="menu" id="stop" style="hove: " href="/StopServer">Stop Server</a></li>
</ul>
</ul>
$secEventIDExpln
<div class="tabs">
<ul>
<li class="tab">
<input type="radio" name="tabs" id="tab1" checked="">
<label for="tab1">Query Events</label>
<div id="tab-content1" class="tab-content">
<h2>Query Event</h2>
<span>Query a single event id or multiple deliminated by a "|" i.e. (4648|4624)</span>
<form method="get" target="queryEvent">
EventID:
<input type="text" name="EventID" value=""><br>
<input type="submit" value="Submit" class="button button1">
</form>
<iframe id="form-iframe" name="queryEvent" onload="AdjustIframeHeightOnLoad1()"></iframe>
<script type="text/javascript">
function AdjustIframeHeightOnLoad1() { document.getElementById("form-iframe").style.height = document.getElementById("form-iframe").contentWindow.document.body.scrollHeight + "px"; }
function AdjustIframeHeight1(i) { document.getElementById("form-iframe").style.height = parseInt(i) + "px"; }
</script>
<br>
</div>
</li>
<li class="tab">
<input type="radio" name="tabs" id="tab2">
<label for="tab2">PTH Detection</label>
<div id="tab-content2" class="tab-content">
<h2>Pass The Hash</h2>
<form method="get" target="queryEvent2">
<input type="hidden" name="IOC" value="pth"><br>
<input type="submit" value="PTH Query" class="button button1">
</form>
<iframe id="form-iframe2" name="queryEvent2" onload="AdjustIframeHeightOnLoad2()"></iframe>
<script type="text/javascript">
function AdjustIframeHeightOnLoad2() { document.getElementById("form-iframe2").style.height = document.getElementById("form-iframe2").contentWindow.document.body.scrollHeight + "px"; }
function AdjustIframeHeight2(i) { document.getElementById("form-iframe2").style.height = parseInt(i) + "px"; }
</script>
</div>
</li>
<li class="tab">
<input type="radio" name="tabs" id="tab3">
<label for="tab3">Remote Desktop Logon Detection</label>
<div id="tab-content3" class="tab-content">
<h2>Remote Logon Detection</h2>
<form method="get" target="queryEvent3">
<input type="hidden" name="IOC" value="remotelogon"><br>
<input type="submit" value="Remote Logon Query" class="button button1">
</form>
<iframe id="form-iframe3" name="queryEvent3" onload="AdjustIframeHeightOnLoad3()"></iframe>
<script type="text/javascript">
function AdjustIframeHeightOnLoad3() { document.getElementById("form-iframe3").style.height = document.getElementById("form-iframe3").contentWindow.document.body.scrollHeight + "px"; }
function AdjustIframeHeight3(i) { document.getElementById("form-iframe3").style.height = parseInt(i) + "px"; }
</script>
</div>
</li>
</ul>
</div>
"@
function Get-WindowsSecurityEvents
{
$winraw = Get-EventLog -LogName security -Newest 100 |
Where-Object -FilterScript {
$_.EventID -match '4740|4728|4732|4756|4735|4625|4624|4648'
} |
Select-Object -Property TimeGenerated, Index, EventID, Source, MachineName, EntryType, Message
$format = $winraw | ConvertTo-Html -Head $header -Body $bodyExplain
return $format
}
function Query-WindowsSecurityEvents
{
param($eventid)
if($eventid -eq $null -or '')
{
$format = $null | ConvertTo-Html -Head $header -Body $bodyExplainQuery
return $format
}
else
{
$winraw = Get-EventLog -LogName security -Newest 1000 |
Where-Object -FilterScript {
$_.EventID -match $eventid
} |
Select-Object -Property TimeGenerated, Index, EventID, Source, MachineName, EntryType, Message
$format = $winraw | ConvertTo-Html -Head $header -Body $bodyExplainQuery
return $format
}
}
function Query-WindowsSecurityEventsRaw
{
param($eventid)
if($eventid -eq $null -or '')
{
$format = $null | ConvertTo-Html -Head $header
return $format
}
else
{
$winraw = Get-EventLog -LogName security -Newest 1000 |
Where-Object -FilterScript {
$_.EventID -match $eventid
} |
Select-Object -Property TimeGenerated, Index, EventID, Source, MachineName, EntryType, Message
$format = $winraw | ConvertTo-Html -Head $header
return $format
}
}
function Stop-Server
{
$listener.Stop()
}
$routes = @{
'/' = {
return Query-WindowsSecurityEvents
}
'/secevt' = {
return Get-WindowsSecurityEvents
}
'/query' = {
return Query-WindowsSecurityEvents
}
'/queryRaw' = {
return Query-WindowsSecurityEventsRaw
}
'/StopServer' = {
Stop-Server
}
}
$url = 'http://localhost:8088/'
$listener = New-Object -TypeName System.Net.HttpListener
$listener.Prefixes.Add($url)
$listener.Start()
Write-Host "Listening at $url..."
try
{
while ($listener.IsListening)
{
$context = $listener.GetContext()
$requestUrl = $context.Request.Url
$response = $context.Response
Write-Host ''
Write-Host "> $requestUrl"
$localPath = $requestUrl.LocalPath
$route = $routes.Get_Item($requestUrl.LocalPath)
Write-Host $requestUrl
if ($route -eq $null)
{
$response.StatusCode = 404
}
else
{
if($requestUrl -match 'EventId')
{
Write-Verbose -Message 'MATCH!!'
$found = [regex]::Match($requestUrl,'EventID\=((\d+\|+.*)|(\d+))').Value
Write-Host 'Found: ' $found
$eid = [regex]::Match($found,'((\d+\|+.*)|(\d+))').Value
Write-Host 'Querying ID: ' + $eid
$content = Query-WindowsSecurityEventsRaw -eventid $eid
$buffer = [System.Text.Encoding]::UTF8.GetBytes($content)
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer, 0, $buffer.Length)
}
elseif($requestUrl -match 'IOC\=pth')
{
Write-Verbose -Message 'MATCH!!'
$found = [regex]::Match($requestUrl,'IOC\=(pth)').Value
Write-Host 'Found: ' $found
$eid = [regex]::Match($found,'(pth)').Value
Write-Host 'Querying for Pass The Hash Events'
$content = Invoke-DetectPTHL
$buffer = [System.Text.Encoding]::UTF8.GetBytes($content)
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer, 0, $buffer.Length)
}
elseif($requestUrl -match 'IOC\=remotelogon')
{
Write-Verbose -Message 'MATCH!!'
$found = [regex]::Match($requestUrl,'IOC\=(remotelogon)').Value
Write-Host 'Found: ' $found
$eid = [regex]::Match($found,'(remotelogon)').Value
Write-Host 'Querying for Remote Desktop Logon Events'
$content = Invoke-DetectRemoteLogon
$buffer = [System.Text.Encoding]::UTF8.GetBytes($content)
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer, 0, $buffer.Length)
}
else
{
$content = & $route
$buffer = [System.Text.Encoding]::UTF8.GetBytes($content)
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer, 0, $buffer.Length)
}
}
$response.Close()
$responseStatus = $response.StatusCode
Write-Host "< $responseStatus"
}
}
catch
{
$listener.Stop()
}
@watson0x90
Copy link
Author

Work in progress...
How To:

  1. Download script to localhost
  2. Start PowerShell console with local admin privileges
  3. Run the script
  4. Navigate in a browser to http://localhost:8088
  5. Don't whine and live with the interface...
  6. Click "Stop Server" in browser to shutdown the script. (Top right big red button.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment