kandi background

nishang | red team, penetration testing and offensive security | Security Testing library

Download this library from

kandi X-RAY | nishang Summary

nishang is a PowerShell library typically used in Testing, Security Testing applications. nishang has no bugs, it has no vulnerabilities and it has medium support. However nishang has a Non-SPDX License. You can download it from GitHub.
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

kandi-support Support

  • nishang has a medium active ecosystem.
  • It has 5603 star(s) with 1877 fork(s). There are 376 watchers for this library.
  • It had no major release in the last 12 months.
  • There are 9 open issues and 42 have been closed. On average issues are closed in 184 days. There are 5 open pull requests and 0 closed requests.
  • It has a neutral sentiment in the developer community.
  • The latest version of nishang is v0.7.6

quality kandi Quality

  • nishang has no bugs reported.

securitySecurity

  • nishang has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

license License

  • nishang has a Non-SPDX License.
  • Non-SPDX licenses can be open source with a non SPDX compliant license, or non open source licenses, and you need to review them closely before use.

buildReuse

  • nishang releases are available to install and integrate.
  • Installation instructions are not available. Examples and code snippets are available.
Top functions reviewed by kandi - BETA

Coming Soon for all Libraries!

Currently covering the most popular Java, JavaScript and Python libraries. See a SAMPLE HERE.
kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.

nishang Key Features

Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

nishang Examples and Code Snippets

  • Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
  • Parsing out PowerShell CommandLine Data from EventLog

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

PS C:\nishang> Import-Module .\nishang.psm1

Community Discussions

Trending Discussions on nishang
  • Parsing out PowerShell CommandLine Data from EventLog
Trending Discussions on nishang

QUESTION

Parsing out PowerShell CommandLine Data from EventLog

Asked 2017-May-12 at 23:52

Sending Windows Event Logs with WinLogBeat to Logstash - primarily focused on PowerShell events within the logs.

Example:

<'Data'>NewCommandState=Stopped SequenceNumber=1463 HostName=ConsoleHost HostVersion=5.1.14409.1005 HostId=b99970c6-0f5f-4c76-9fb0-d5f7a8427a2a HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.14409.1005 RunspaceId=bd4224a9-ce42-43e3-b8bb-53a302c342c9 PipelineId=167 CommandName=Import-Module CommandType=Cmdlet ScriptName= CommandPath= CommandLine=Import-Module -Verbose.\nishang.psm1<'/Data'>

How can I extract the CommandLine= field using grok to get the following?

Import-Module -Verbose.\nishang.psm1

ANSWER

Answered 2017-May-12 at 23:52

Grok is a wrapper around regular expressions. If you can parse data with a regex, you can implement it with grok.

Even though your scope is specific to the CommandLine field, parsing each of the fields in most key=value logs is pretty straightforward, and a single regex can be used for every field with some grok filters. If you intend to store, query, and visualize logs - the more data, the better.

Regular Expression:

First we start with the following:

(.*?(?=\s\w+=|\<|$))
  • .*? - Matches any character except for line terminators
  • (?=\s\w+=|\<|$)) - Positive lookahead that asserts the pattern must match the following
    • \s\w+= - Any word characters with a space prior to it, followed by a =
    • |\<|$ - Alternatively may match < or the end of the line so as not to include them in the matching group.

This means that each field can be parsed similar to the following:

CommandLine=(.*?(?=\s\w+=|\<|$))

Grok:

Now this means we can begin creating grok filters. The power of it is that reusable components may have semantic language applied to them.

/etc/logstash/patterns/powershell.grok:

# Patterns
PS_KEYVALUE (.*?(?=\s\w+=|\<|$))

# Fields
PS_NEWCOMMANDSTATE NewCommandState=%{PS_KEYVALUE:NewCommandState}
PS_SEQUENCENUMBER SequenceNumber=%{PS_KEYVALUE:SequenceNumber}
PS_HOSTNAME HostName=%{PS_KEYVALUE:HostName}
PS_HOSTVERSION HostVersion=%{PS_KEYVALUE:HostVersion}
PS_HOSTID HostId=%{PS_KEYVALUE:HostId}
PS_HOSTAPPLICATION HostApplication=%{PS_KEYVALUE:HostApplication}
PS_ENGINEVERSION EngineVersion=%{PS_KEYVALUE:EngineVersion}
PS_RUNSPACEID RunspaceId=%{PS_KEYVALUE:RunspaceId}
PS_PIPELINEID PipelineId=%{PS_KEYVALUE:PipelineId}
PS_COMMANDNAME CommandName=%{PS_KEYVALUE:CommandName}
PS_COMMANDTYPE CommandType=%{PS_KEYVALUE:CommandType}
PS_SCRIPTNAME ScriptName=%{PS_KEYVALUE:ScriptName}
PS_COMMANDPATH CommandPath=%{PS_KEYVALUE:CommandPath}
PS_COMMANDLINE CommandLine=%{PS_KEYVALUE:CommandLine}

Where %{PATTERN:label} will utilize the PS_KEYVALUE regular expression, and the matching group will be labeled with that value in JSON. This is where you can get flexible in naming fields you know.

/etc/logstash/conf.d/powershell.conf:

input {
    ...
}

filter {
    grok {
        patterns_dir => "/etc/logstash/patterns"
        break_on_match => false
        match => [
            "message", "%{PS_NEWCOMMANDSTATE}",
            "message", "%{PS_SEQUENCENUMBER}",
            "message", "%{PS_HOSTNAME}",
            "message", "%{PS_HOSTVERSION}",
            "message", "%{PS_HOSTID}",
            "message", "%{PS_HOSTAPPLICATION}",
            "message", "%{PS_ENGINEVERSION}",
            "message", "%{PS_RUNSPACEID}",
            "message", "%{PS_PIPELINEID}",
            "message", "%{PS_COMMANDNAME}",
            "message", "%{PS_COMMANDTYPE}",
            "message", "%{PS_SCRIPTNAME}",
            "message", "%{PS_COMMANDPATH}",
            "message", "%{PS_COMMANDLINE}"
        ]
    }
}

output {
    stdout { codec => "rubydebug" }
}

Result:

{
    "HostApplication" => "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "EngineVersion" => "5.1.14409.1005",
         "RunspaceId" => "bd4224a9-ce42-43e3-b8bb-53a302c342c9",
            "message" => "<'Data'>NewCommandState=Stopped SequenceNumber=1463 HostName=ConsoleHost HostVersion=5.1.14409.1005 HostId=b99970c6-0f5f-4c76-9fb0-d5f7a8427a2a HostApplication=C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe EngineVersion=5.1.14409.1005 RunspaceId=bd4224a9-ce42-43e3-b8bb-53a302c342c9 PipelineId=167 CommandName=Import-Module CommandType=Cmdlet ScriptName= CommandPath= CommandLine=Import-Module -Verbose.\\nishang.psm1<'/Data'>",
             "HostId" => "b99970c6-0f5f-4c76-9fb0-d5f7a8427a2a",
        "HostVersion" => "5.1.14409.1005",
        "CommandLine" => "Import-Module -Verbose.\\nishang.psm1",
         "@timestamp" => 2017-05-12T23:49:24.130Z,
               "port" => 65134,
        "CommandType" => "Cmdlet",
           "@version" => "1",
               "host" => "10.0.2.2",
     "SequenceNumber" => "1463",
    "NewCommandState" => "Stopped",
         "PipelineId" => "167",
        "CommandName" => "Import-Module",
           "HostName" => "ConsoleHost"
}

Source https://stackoverflow.com/questions/43947267

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install nishang

You can download it from GitHub.

Support

Please raise an issue if you encounter a bug or have a feature request. You can email me at nikhil [dot] uitrgpv at gmail.com. For feedback, discussions, and feature requests, join: http://groups.google.com/group/nishang-users. I am always looking for contributors to Nishang. Please submit requests or drop me an email.

Explore Related Topics

Build your Application

Share this kandi XRay Report