forked from nsacyber/Event-Forwarding-Guidance
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsubscriptionUtil.ps1
More file actions
225 lines (164 loc) · 6.4 KB
/
subscriptionUtil.ps1
File metadata and controls
225 lines (164 loc) · 6.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
<#
.SYNOPSIS
Subscription Utility is a wrapper for managing subscriptions.
.DESCRIPTION
Subscription Utility provides the ability to easily automatic several functionality of wevtutil for handling subscriptions. This utility is simply a wrapper of wevtutil.
.PARAMETER install
Install all the subscriptions specified by -dir. If combined with cdir, the directory specified, if it exist, will be deleted first then the new files are created.
.PARAMETER retry
Reactives subscriptions specified by -dir.
.PARAMETER remove
Removes subscriptions specified by -dir.
.PARAMETER dir
The directory that contains subscriptions to be used.
.PARAMETER cdir
The directory that will be used for custom views creation or removal. If a directory does not exist, it will be created.
.PARAMETER cr
Removes custom views from %ProgramData%\Microsoft\Event Viewer\Views\. Must be supplied with cdir. The directory specified by cdir will be removed.
.PARAMETER ci
Install custom views from %ProgramData%\Microsoft\Event Viewer\Views\. Must be supplied with cdir. The directory specified by cdir will be created.
.INPUTS
System.String
.OUTPUTS
System.String
.EXAMPLE
.\subscriptionUtil.ps1 -install -dir ..\NT6 -cdir ..\CustomViews\NT6
This command will install subscriptions stored at the NT6 directory and custom views in the CustomViews\NT6 directory. Any old custom views are deleted forcibly. This assumes the subscriptions and custom view directory is stored at C:\.
.EXAMPLE
.\subscriptionUtil.ps1 -cdir ..\NT6 -cr
This will delete custom views for NT6 subscriptions currently in use.
.EXAMPLE
.\subscriptionUtil.ps1 -remove -dir ..\NT6
Remove susbcriptions that were created from the NT6\ directory without removing custom views.
.LINK
https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm
#>
[CmdletBinding(DefaultParameterSetName="help")]
param (
[Parameter(Mandatory=$TRUE,parametersetname="install")]
[ValidateNotNullOrEmpty()]
[switch] $install,
[Parameter(Mandatory=$TRUE,parametersetname="retry")]
[ValidateNotNullOrEmpty()]
[switch] $retry,
[Parameter(Mandatory=$TRUE,parametersetname="remove")]
[ValidateNotNullOrEmpty()]
[switch] $remove,
[Parameter(Mandatory=$TRUE,parametersetname="install")]
[Parameter(Mandatory=$TRUE,parametersetname="retry")]
[Parameter(Mandatory=$TRUE,parametersetname="remove")]
[ValidateNotNullOrEmpty()]
[string] $dir,
[Parameter(Mandatory=$FALSE,parametersetname="remove")]
[Parameter(Mandatory=$FALSE,parametersetname="install")]
[Parameter(Mandatory=$TRUE,parametersetname="cremove")]
[Parameter(Mandatory=$TRUE,parametersetname="cinstall")]
[ValidateNotNullOrEmpty()]
[string] $cdir,
[Parameter(Mandatory=$FALSE,parametersetname="cinstall")]
[ValidateNotNullOrEmpty()]
[switch] $ci,
[Parameter(Mandatory=$FALSE,parametersetname="cremove")]
[ValidateNotNullOrEmpty()]
[switch] $cr
)
New-Variable -Name INSTALLCV -value 1 -option constant -scope script
New-Variable -Name REMOVECV -value 2 -option constant -scope script
<#
# Now work (install/remove) on custom views
#>
function cvWorker([string] $d, [int32] $option){
Write-verbose "Starting to work on custom views"
if($option -eq $INSTALLCV){
write-verbose ("Installing custom views at "+$d.gettype())
#Does directory already exist in Event Viewer directory? If so delete it and it's contents.
if($d.EndsWith("\")){
if(Test-path ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-2])){
del -Recurse ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-2])
}
new-item ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-2]) -type directory
xcopy $d\* ("$env:ProgramData\Microsoft\Event Viewer\Views\"+ $d.Split("\")[-2]) /E /Q /Y
}else{
if(Test-path ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-1])){
del -Recurse ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-1])
}
new-item ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-1]) -type directory
xcopy $d\* ("$env:ProgramData\Microsoft\Event Viewer\Views\"+ $d.Split("\")[-1]) /E /Q /Y
}
}elseif($option -eq $REMOVECV){
write-verbose ("Deleting custom views at $env:ProgramData\Microsoft\Event Viewer\Views\" + $d)
if($d.EndsWith("\")){
del -Recurse ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-2])
}else{
del -Recurse ("$env:ProgramData\Microsoft\Event Viewer\Views\" + $d.Split("\")[-1])
}
}else{
write-error "Not a valid option to work on Custom Views"
}
write-verbose "Work on CustomView Completed"
}
function install([string] $d){
if($cdir){
cvWorker $cdir $INSTALLCV
}
write-host "Starting registration of subscription"
#get all .xml files
$xmlGrp = Get-ChildItem -recurse -include "*.xml" $d
if($xmlGrp.count -eq 0){
write-error "No items in $dir.. aborting this operation"
return
}
foreach($file in $xmlGrp){
write-host "Working on " $file.fullname
wecutil cs $file.fullname
}
#Call retry
retry $d
}
function retry([string] $d){
write-host "Retrying subscription"
$xmlGrp = Get-ChildItem -name -recurse -include "*.xml" $d
if($xmlGrp.count -eq 0){
write-error "No items in $dir.. aborting this operation"
return
}
foreach($file in $xmlGrp){
$fNExt = [io.path]::GetFileNameWithoutExtension($file)
write-host "Working on " $fNExt
wecutil rs $fNExt
}
}
function remove([string] $d){
if($cdir){
cvWorker $cdir $REMOVECV
}
write-host "Deregistering of subscription"
$xmlGrp = Get-ChildItem -name -recurse -include "*.xml" $d
if($xmlGrp.count -eq 0){
write-error "No items in $dir.. aborting this operation"
return
}
foreach($file in $xmlGrp){
$fNExt = [io.path]::GetFileNameWithoutExtension($file)
write-host "Working on " $fNExt
wecutil ds $fNExt
}
}
# http://blog.technet.com/b/heyscripttingguy/archive/2011/05/11/check-for-admin-credentials-in-powershell-script.aspx
function Is-Admin(){
if(-Not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")){
return $false
}
return $true
}
if(-Not (Is-Admin)){
write-warning "This script requires administrator privileges"
exit
}
switch($PsCmdlet.ParameterSetName){
"install" {install $dir}
"retry" {retry $dir}
"remove" {remove $dir}
"cremove" {cvWorker $cdir $REMOVECV}
"cinstall" {cvWorker $cdir $INSTALLCV}
}