Advertisement
guyrleech

Show TLS Negotiations from Event Log

Dec 21st, 2023 (edited)
1,797
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 0.79 KB | Cybersecurity | 0 0
  1. ## Gather data from Secure Channel (schannel) negotiation events
  2. ## Enable logging via EventLogging REG_DWORD = 1 in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  3.  
  4. ## Get cipher suites so we can look them up for each event
  5. $csuites = Get-TlsCipherSuite
  6.  
  7. ## Get the events and use the "properties" array, which is used to construct the message, to show individual elements
  8. Get-WinEvent -FilterHashtable @{ ProviderName = 'Schannel' ; Id = 36880 } | select timecreated,@{n='Type';e={$_.Properties[0].value}},@{n='TLS';e={$_.Properties[1].Value }},@{n='CipherSuite';e={($csuites|Where CipherSuite -eq $_.Properties[2].Value).Name}} ,@{n='TargetName';e={$_.Properties[5].value}},@{n='Local Cert Subject';e={$_.Properties[6].Value}},@{n='Remote Cert Subject';e={$_.Properties[7].Value}}
Tags: schannel; tls;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement