2

我正在尝试使用 C# .net 框架从事件查看器记录 Windows Defender 事件。当我尝试通过读取 XML 来捕获事件数据属性值时,它为我提供了一些属性的奇怪字符串值,例如Origin Name、Execution Name、Type Name、Action Name

在此处输入图像描述

并且这些属性在常规视图中的实际值正​​确显示如下。

在此处输入图像描述

这是我用于 xml 数据的代码片段:

        private static void GetRecordsInfo()
    {
        //string channel = "Microsoft-Windows-Windows Defender/Operational";
        string _channel = @"C:\Users\patilp\Desktop\DefenderLogs.evtx";
        string query = "Event/System[ TimeCreated[@SystemTime > '2020-07-15T19:08:30.895832100Z' and @SystemTime < '2020-07-15T20:21:30.895832100Z']" +
            " and ((Level=1 or Level=2 or Level=3 or Level=4) and (EventID = 1006 or EventID = 1007 or EventID = 1008 or EventID = 1009 or " +
            "EventID = 1010 or EventID = 1011 or EventID = 1012 or EventID = 1015 or EventID = 1116 or EventID = 1117 or EventID = 1118 or EventID = 1119) and Provider[@Name='Microsoft-Windows-Windows Defender'])]";

        EventLogQuery eventLogQuery = new EventLogQuery(_channel, PathType.FilePath, query);
        EventLogReader eventLogReader = new EventLogReader(eventLogQuery);
        EventRecord record = eventLogReader.ReadEvent();
        if (record == null)
        {
            Console.WriteLine("No data found");
            return;
        }
        var _currentEvent = new Dictionary<string, object>();

        _currentEvent["ProviderName"] = record.ProviderName;
        _currentEvent["ProviderEventGuid"] = record.ProviderId;
        _currentEvent["Channel"] = String.IsNullOrEmpty(_channel) ? String.Empty : _channel;

        _currentEvent["EventID"] = Convert.ToString(record.Id);
        _currentEvent["Level"] = Convert.ToString(record.Level);

        string rawXml = record.ToXml();
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.LoadXml(rawXml);
        Dictionary<string, string> _EventData = new Dictionary<string, string>();
        XmlNodeList xmlnodeList = xmlDoc.GetElementsByTagName("Data");

        foreach (XmlNode node in xmlnodeList)
        {
            string text = node.InnerText;
            string attr = node.Attributes["Name"]?.InnerText;
            _EventData.Add(attr, text);
        }

        _currentEvent["ThreatID"] = _EventData.ContainsKey("Threat ID") ? string.IsNullOrWhiteSpace(_EventData["Threat ID"]) ? "NA" : _EventData["Threat ID"] : "NA";
        _currentEvent["ThreatName"] = _EventData.ContainsKey("Threat Name") ? string.IsNullOrWhiteSpace(_EventData["Threat Name"]) ? "NA" : _EventData["Threat Name"] : "NA";
        _currentEvent["Severity"] = _EventData.ContainsKey("Severity ID") ? string.IsNullOrWhiteSpace(_EventData["Severity ID"]) ? "NA" : _EventData["Severity ID"] : "NA";
        _currentEvent["Category"] = _EventData.ContainsKey("Category Name") ? string.IsNullOrWhiteSpace(_EventData["Category Name"]) ? "NA" : _EventData["Category Name"] : "NA";
        _currentEvent["Path"] = _EventData.ContainsKey("Path") ? string.IsNullOrWhiteSpace(_EventData["Path"]) ? "NA" : _EventData["Path"] : "NA";
        _currentEvent["DetectionOrigin"] = _EventData.ContainsKey("Origin Name") ? string.IsNullOrWhiteSpace(_EventData["Detection ID"]) ? "NA" : _EventData["Detection ID"] : "NA";
        _currentEvent["DetectionType"] = _EventData.ContainsKey("Type ID") ? string.IsNullOrWhiteSpace(_EventData["Threat ID"]) ? "NA" : _EventData["Threat ID"] : "NA";
        _currentEvent["DetectionSource"] = _EventData.ContainsKey("Source Name") ? string.IsNullOrWhiteSpace(_EventData["Detection User"]) ? "NA" : _EventData["Detection User"] : "NA";
        _currentEvent["Status"] = _EventData.ContainsKey("Status Description") ? string.IsNullOrWhiteSpace(_EventData["Status Description"]) ? "NA" : _EventData["Status Description"] : "NA";
        _currentEvent["ProcessName"] = _EventData.ContainsKey("Process Name") ? string.IsNullOrWhiteSpace(_EventData["Process Name"]) ? "NA" : _EventData["Process Name"] : "NA";
        _currentEvent["Action"] = _EventData.ContainsKey("Action Name") ? string.IsNullOrWhiteSpace(_EventData["Action Name"]) ? "NA" : _EventData["Action Name"] : "NA";
        _currentEvent["ErrorCode"] = _EventData.ContainsKey("Error Code") ? string.IsNullOrWhiteSpace(_EventData["Error Code"]) ? "NA" : _EventData["Error Code"] : "NA";
        _currentEvent["ErrorDescription"] = _EventData.ContainsKey("Error Description") ? string.IsNullOrWhiteSpace(_EventData["Error Description"]) ? "NA" : _EventData["Error Description"] : "NA";
        _currentEvent["SignatureVersion"] = _EventData.ContainsKey("Security intelligence Version") ? string.IsNullOrWhiteSpace(_EventData["Security intelligence Version"]) ? "NA" : _EventData["Security intelligence Version"] : "NA";
        _currentEvent["EngineVersion"] = _EventData.ContainsKey("Engine Version") ? string.IsNullOrWhiteSpace(_EventData["Engine Version"]) ? "NA" : _EventData["Engine Version"] : "NA";

        foreach (var item in _currentEvent)
            Console.WriteLine("{0}  :   {1}",item.Key,item.Value);
    }

谁能告诉我如何为提到的属性获取正确的字符串值..?

4

1 回答 1

3

我有同样的问题。

我设法发现,可以在文件中找到一些类似的代码msobj.dllhttps ://github.com/wazuh/wazuh/issues/3242

使用在线找到的此代码:https ://gist.github.com/mattifestation/43248b6f59d1dd67d4f57318a9a7e565 我已经设法提取了该文件中的每个代码,但在这种情况下似乎不正确。例如 %%812 返回'Trusted To Authenticate For Delegation' - Disabled

所以我假设 Defender 事件的代码在其他一些 dll 中......但是哪个?

编辑:此来源:https ://social.technet.microsoft.com/Forums/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity

msobj.dll包含完整键值条目的声明EventViewer 可以向您显示。至少在 Windows XP 中。似乎 Windows 10 中一定发生了一些变化,因为我只有msobjs.dll.

EDIT2:我找到了答案!

这是 Stuart Squibb 所著的“PowerShell 和 Windows 事件日志”一书中的解决方案

显然,这些属性或占位符位于 dll 的消息表中: C:\Program Files\Windows Defender\MpEvMsg.dll

这是如何找到正在使用的 dll 事件(注意不同的事件提供者有不同的 dll):
$Provider = New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata 'Microsoft-Windows-Windows Defender'
$provider | Select-Object *

然后使用作者编写的代码,我提取了代码:

https://github.com/wightsci/MessageTableReader

Add-Type -Path "C:\MessageTableReader.cs"
$messageTable = New-Object MessageTableReader.Reader
$messageTable.GetMessageList('C:\Program Files\Windows Defender\MpEvMsg.dll')

享受 ;-)

于 2020-07-30T09:33:33.383 回答