internal void HandleRecord(IEventRecord record)
{
if (record.Id == 3018 || record.Id == 3020)
{
if (!record.TryGetUnicodeString("QueryName", out string domainName))
{
return;
}
if (!record.TryGetUnicodeString("QueryResults", out string queryResult))
{
return;
}
if (string.IsNullOrWhiteSpace(queryResult))
{
return;
}
var tokens = queryResult.Trim().Split(';');
var parsed = tokens
.Where(s => !string.IsNullOrEmpty(s))
.Select(s => s.Trim())
.Distinct()
.Select(ParsedDnsRecord.Parse)
.Where(r => r != null);
var dnsRecords = parsed.ToArray();
foreach (var dnsRecord in dnsRecords)
{
ReverseDnsCache.AddOrUpdate(dnsRecord.Address, domainName);
}
}
}
private IEnumerable <KeyValuePair <string, object> > ParseContextInfo(IEventRecord record)
{
const string HostAppKey = "Host Application = ";
const string CmdNameKey = "Command Name = ";
const string CmdTypeKey = "Command Type = ";
const string UsrNameKey = "User = "******"HostProcess", host));
index = data.IndexOf(CmdNameKey, startIndex);
var name = index != -1
? data.ReadToNewline(index + CmdNameKey.Length, out startIndex)
: string.Empty;
ret.Add(new KeyValuePair <string, object>("CommandName", name));
index = data.IndexOf(CmdTypeKey, startIndex);
var type = index != -1
? data.ReadToNewline(index + CmdTypeKey.Length, out startIndex)
: string.Empty;
ret.Add(new KeyValuePair <string, object>("CommandType", type));
index = data.IndexOf(UsrNameKey, startIndex);
var user = index != -1
? data.ReadToNewline(index + UsrNameKey.Length, out startIndex)
: string.Empty;
ret.Add(new KeyValuePair <string, object>("UserName", user));
return(ret);
}
return(Enumerable.Empty <KeyValuePair <string, object> >());
}
/// <summary>
/// Event 7937's payload is basically a big well-formatted string.
/// We have to parse it by hand, breaking out the interesting bits.
/// Fortunately, interesting bits are separated by \n\r so we can break
/// up the parsing by line.
/// </summary>
/// <param name="record"></param>
static void OnEvent(IEventRecord record)
{
string data = string.Empty;
if (!record.TryGetUnicodeString("ContextInfo", out data))
{
Console.WriteLine("Could not parse 'ContextInfo' from PowerShell event");
return;
}
var startIndex = 0;
// The order these keys are parsed in is static. There is no
// guarantee, however, that future Windows versions won't change
// the order. This is confirmed to work in:
// - Windows 10
// - Windows Server 2016
// - Windows 8.1
// - Windows Server 2012 R2
var index = data.IndexOf(HostAppKey, startIndex);
var host = index != -1
? ReadToNewline(data, index + HostAppKey.Length, out startIndex)
: string.Empty;
index = data.IndexOf(CmdNameKey, startIndex);
var name = index != -1
? ReadToNewline(data, index + CmdNameKey.Length, out startIndex)
: string.Empty;
index = data.IndexOf(CmdTypeKey, startIndex);
var type = index != -1
? ReadToNewline(data, index + CmdTypeKey.Length, out startIndex)
: string.Empty;
index = data.IndexOf(UserNameKey, startIndex);
var user = index != -1
? ReadToNewline(data, index + UserNameKey.Length, out startIndex)
: string.Empty;
Console.WriteLine($"user: {user} - {host} invoked PowerShell method '{name}' (type: {type})");
}
