Avoid double quote scaping powershell

Question

I have a command output (json) stored in a posershell variable and want to send it as syslog to a remote device.

The output looks like this:

{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\nslookup.exe\" test160.com","Company":"Microsoft Corporation","CurrentDirectory":"C:\\chainsaw\\","Description":"nslookup","FileVersion":"10.0.19041.1 (WinBuild.160101.0800)","Hashes":"MD5=F2E3950C1023ACF80765C918791999C0,SHA256=55AB032D256ADBE3FDE40CF90FE83BA5EAB591E04AD720161ED8E6EF059CA747,IMPHASH=2C6AC0BEC4117681BA25EAD3FABF0BA1","Image":"C:\\Windows\\System32\\nslookup.exe","IntegrityLevel":"High","LogonGuid":"A7F7F064-A954-6346-8215-540000000000","LogonId":"0x541582","OriginalFileName":"nslookup.exe","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"A7F7F064-01FF-6347-7FA8-000000001D00","ParentProcessId":10796,"ParentUser":"DESKTOP-GI1ELAK\\Administrator","ProcessGuid":"A7F7F064-0354-6347-F6AA-000000001D00","ProcessId":7896,"Product":"Microsoft® Windows® Operating System","RuleName":"-","TerminalSessionId":1,"User":"DESKTOP-GI1ELAK\\Administrator","UtcTime":"2022-10-12 18:11:32.747"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-GI1ELAK","Correlation":null,"EventID":1,"EventRecordID":3705446,"Execution_attributes":{"ProcessID":3792,"ThreadID":6624},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2022-10-12T18:11:32.750649Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}

When y try to send it as syslog, using a .exe program for this, it scape some of the json quotes and breaks it before send it.

Example:

$json='{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\nslookup.exe\" test160.com","Company":"Microsoft Corporation","CurrentDirectory":"C:\\chainsaw\\","Description":"nslookup","FileVersion":"10.0.19041.1 (WinBuild.160101.0800)","Hashes":"MD5=F2E3950C1023ACF80765C918791999C0,SHA256=55AB032D256ADBE3FDE40CF90FE83BA5EAB591E04AD720161ED8E6EF059CA747,IMPHASH=2C6AC0BEC4117681BA25EAD3FABF0BA1","Image":"C:\\Windows\\System32\\nslookup.exe","IntegrityLevel":"High","LogonGuid":"A7F7F064-A954-6346-8215-540000000000","LogonId":"0x541582","OriginalFileName":"nslookup.exe","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"A7F7F064-01FF-6347-7FA8-000000001D00","ParentProcessId":10796,"ParentUser":"DESKTOP-GI1ELAK\\Administrator","ProcessGuid":"A7F7F064-0354-6347-F6AA-000000001D00","ProcessId":7896,"Product":"Microsoft® Windows® Operating System","RuleName":"-","TerminalSessionId":1,"User":"DESKTOP-GI1ELAK\\Administrator","UtcTime":"2022-10-12 18:11:32.747"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-GI1ELAK","Correlation":null,"EventID":1,"EventRecordID":3705446,"Execution_attributes":{"ProcessID":3792,"ThreadID":6624},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2022-10-12T18:11:32.750649Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}'

syslog-client.exe -host 4.4.4.4 -port 514 $json

The syslog ends like :

INFO[1234]: {Event:{EventData:{CommandLine:"C:\\Windows\\system32\\nslookup.exe" test160.com,Company:Microsoft Corporation,CurrentDirectory:C:\\chainsaw\,Description:nslookup,FileVersion:10.0.19041.1 (WinBuild.160101.0800),Hashes:MD5=F2E3950C1023ACF80765C918791999C0,SHA256=55AB032D256ADBE3FDE40CF90FE83BA5EAB591E04AD720161ED8E6EF059CA747,IMPHASH=2C6AC0BEC4117681BA25EAD3FABF0BA1,Image:C:\\Windows\\System32\\nslookup.exe,IntegrityLevel:High,LogonGuid:A7F7F064-A954-6346-8215-540000000000,LogonId:0x541582,OriginalFileName:nslookup.exe,ParentCommandLine:powershell,ParentImage:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe,ParentProcessGuid:A7F7F064-01FF-6347-7FA8-000000001D00,ParentProcessId:10796,ParentUser:DESKTOP-GI1ELAK\\Administrator,ProcessGuid:A7F7F064-0354-6347-F6AA-000000001D00,ProcessId:7896,Product:Microsoft Windows Operating System,RuleName:-,TerminalSessionId:1,User:DESKTOP-GI1ELAK\\Administrator,UtcTime:2022-10-12 18:11:32.747},System:{Channel:Microsoft-Windows-Sysmon/Operational,Computer:DESKTOP-GI1ELAK,Correlation:null,EventID:1,EventRecordID:3705446,Execution_attributes:{ProcessID:3792,ThreadID:6624},Keywords:0x8000000000000000,Level:4,Opcode:0,Provider_attributes:{Guid:5770385F-C22A-43E0-BF4C-06F5698FFBD9,Name:Microsoft-Windows-Sysmon},Security_attributes:{UserID:S-1-5-18},Task:1,TimeCreated_attributes:{SystemTime:2022-10-12T18:11:32.750649Z},Version:5}},Event_attributes:{xmlns:http://schemas.microsoft.com/win/2004/08/events/event}}

How can i avoid the syslog-client.exe double quotes scape? I tried with syslog-client.exe "'"$json"'" but it sends the syslog between double quotes.

Regards.

Metzli_Tonaltzintli · Answer 1 · 2022-10-12T19:09:52.037

1

The issue is being caused by the external program. The only double quotes that remained were the ones that escaped. With that said, escape the rest.

$json = .....
$json = $json -replace '([^\\"])"','$1\"'

syslog-client.exe -host 4.4.4.4 -port 514 $json

edited Oct 12 '22 at 19:09

answered Oct 12 '22 at 18:53

Metzli_Tonaltzintli

224
1
6

It is erasing some backslash and now theres some parts that cant be parsed as json. Example: This: ` "CommandLine":"\"C:\\Windows\\system32\\nslookup.exe\" test160.com" ` Is ending like this: ` "CommandLine":""C:\\Windows\\system32\\nslookup.exe" test160.com" ` – Richard Oct 12 '22 at 19:52
@Richard, so, `($json -replace '\\"','\\"') -replace '([^\\"])"','$1\"'`? I don't know what it is you're after. – Metzli_Tonaltzintli Oct 12 '22 at 20:06
It continues resulting in corrupted json :(. Please, try to replicate and put the output in this [JSON PARSER](http://json.parser.online.fr/) – Richard Oct 13 '22 at 01:29
Can you tell me what those regexs means? – Richard Oct 13 '22 at 01:36
@Richard, you won't get the same results from the JSON Parser site you've linked vs what `syslog-client.exe` is doing. That `.exe` is stripping those quotes so they get escaped using the above method(s). My answer is solving the issue that `.exe` is causing, not how that site you've linked parses the json. That's why your `$json` in your example works on that site but not when passed to your .exe. – Metzli_Tonaltzintli Oct 13 '22 at 17:36

Avoid double quote scaping powershell

1 Answers1