-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample_security_logs.ps1
89 lines (67 loc) · 3.24 KB
/
sample_security_logs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Sample script for pulling windows security related event logs, largly inspired by similar functions via: https://github.com/obscuresec/PowerShell
echo "Looking for PSExec Service Events."
$PSExecService = (Get-Eventlog -LogName "system" | Where-Object {$_.EventID -eq 7045} | Where-Object {$_.Message -like "*PSExec*"})
$PSExecService | Foreach-Object {
$User = $_.UserName
$Time = $_.TimeGenerated
$Host = $_.MachineName
$ObjectProps = @{'Host' = $Host;
'User' = $User;
'Time' = $Time;}
$Results = New-Object -TypeName PSObject -Property $ObjectProps
Write-Output $Results
}
echo "Looking for MSF PSExec Service Events."
$MSFService = (Get-Eventlog -LogName "system" | Where-Object {$_.EventID -eq 7045} | Where-Object {($_.Message -match "Service Name: M")} | Where-Object {($_.Message -like "*%SYSTEMROOT%\????????.exe*")})
$MSFService | Foreach-Object {
$User = $_.UserName
$Time = $_.TimeGenerated
$Host = $_.MachineName
$ObjectProps = @{'Host' = $Host;
'User' = $User;
'Time' = $Time;}
$Results = New-Object -TypeName PSObject -Property $ObjectProps
Write-Output $Results
}
echo "Looking for WinExe Service Events."
$WinExeService = (Get-Eventlog -LogName "system" | Where-Object {$_.EventID -eq 7045} | Where-Object {$_.Message -like "*winexesvc*"})
$WinExeService | Foreach-Object {
$User = $_.UserName
$Time = $_.TimeGenerated
$Host = $_.MachineName
$ObjectProps = @{'Host' = $Host;
'User' = $User;
'Time' = $Time;}
$Results = New-Object -TypeName PSObject -Property $ObjectProps
Write-Output $Results
}
#Check for Administrator rights
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
echo "Not running as Administrator. Run the script with elevated credentials to run further checks."
Return
}
echo "Looking for NTLM Network Logons."
$Filter = "*[EventData[Data = 'NtLmSsp ']]"
$NTLMEvents = Get-WinEvent -Logname "security" -FilterXPath $Filter | Where-Object {$_.ID -eq 4624}
if ($NTLMEvents) {$NTLMEvents | ForEach-Object {
$ObjectProps = @{'Host' = $_.Properties[11].value;
'IPAddress' = $_.Properties[18].value;
'User' = $_.Properties[5].value;
'Domain' = $_.Properties[6].value;
'Time' = $_.TimeCreated;
'Workstation' = $_.MachineName}
$Results = New-Object -TypeName PSObject -Property $ObjectProps
Write-Output $Results
}
}
echo "Looking for Interactive (Type2) Logons."
$Logons = (Get-winevent -max 1000 -FilterHashtable @{logname='security'; id=4624;} | where {$_.properties[8].value -eq 2})
$Logons | Foreach-Object {
$Time = $_.TimeCreated
$Message = $_.Message
$ObjectProps = @{'Message' = $Message;
'Time' = $Time;}
$Results = New-Object -TypeName PSObject -Property $ObjectProps
Write-Output $Results
}