As an Admin, looking at Event Viewer becomes a normal thing, especially when you have issues or simply looking for intrusion like in my case where events are written to the different logs.
To manually go through hundreds of thousands of logs is time consuming so I have a script that can find stuff if anything.
I was looking for IP addresses yesterday where a machine calls back to a C&C (Command and Control) and the script below, has dummy information in which dummy data to show you, by changing the log and keyword, you should find what you looking for.
Here is the code, feel free to modify it to suite you needs:
# Get the PowerShell operational event log
$eventLog = Get-WinEvent -LogName “Microsoft-Windows-PowerShell/Operational” -MaxEvents 40000
# Define the keyword to search for
$keyword = “87404”
# Iterate through the events and check for the keyword
foreach ($event in $eventLog) {
if ($event.Message -like “*$keyword*”) {
$event | Format-List | Out-String | Write-Host
# You can add more actions or customize the output as needed
}
}
PowerShell can do many things, but the one thing is making your life easier to do you daily tasks etc.
Hope it helps.
