我無法弄清楚這一點。本來應該很簡單的事情,變成了真正的痛苦。以下代碼有效。只是我需要在后臺和函式內部啟動它。
代碼:
$EvidenceDirectory = "C:\Evidence"
$Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
$Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
$Sigmarules = "C:\Tools\chainsaw\sigma_rules"
Set-Alias Chainsaw $Chainsawpath
$run = Chainsaw hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
從函式內部:
function Chainsaw
{
start-job {
$EvidenceDirectory = "C:\Evidence"
$Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
$Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
$Sigmarules = "C:\Tools\chainsaw\sigma_rules"
& $Chainsawpath hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
}
if ($LASTEXITCODE -ne 0)
{
write-host "$LASTEXITCODE"
return
}
else
{
write-host "$Time Chainsaw analysis completed successfully"
}
Start-Sleep -s 2
}
uj5u.com熱心網友回復:
您可以使用呼叫運算子運行變數。
$run = & $Chainsawpath hunt $EvidenceDirectory\EVTX --rules $Sigmarules --mapping $Sigmamappings --csv $EvidenceDirectory\Chainsaw
作為一份作業:
start-job {
$EvidenceDirectory = "C:\Evidence"
$Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
$Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
$Sigmarules = "C:\Tools\chainsaw\sigma_rules"
& $Chainsawpath hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/414561.html
標籤: