-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSearch-EventForUser.ps1
More file actions
77 lines (70 loc) · 2.69 KB
/
Copy pathSearch-EventForUser.ps1
File metadata and controls
77 lines (70 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Mr.Un1k0d3r RingZer0 Team
function Search-EventForUser {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$true)]
[string]$TargetUser,
[Parameter(Mandatory=$False)]
[string]$ComputerName = (Get-Item env:COMPUTERNAME).Value,
[Parameter(Mandatory=$False)]
[switch]$FindDC = $False,
[Parameter(Mandatory=$False)]
[switch]$FullMessage = $False,
[Parameter(Mandatory=$False)]
[string]$Username,
[Parameter(Mandatory=$False)]
[string]$Password
)
BEGIN {
if($Username -ne "") {
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword
}
}
PROCESS {
[System.Collections.ArrayList]$dcs = @()
if($FindDC) {
Write-Output "[+] Enumerating all the DCs"
ForEach($dc in [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers) {
Write-Output "[+] DC found: $($dc.Name)"
$dcs.Add($dc.Name) | Out-Null
}
} else {
$dcs.Add($ComputerName) | Out-Null
}
ForEach($dc in $dcs) {
ForEach($item in $TargetUser) {
Write-Output "[+] Parsing $($dc) Logs looking for $($item)"
if($Creds) {
Write-Output "[*] Remotely authenticated as $($Username)"
$xmlFilter = "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624)] and EventData[Data[@Name=""TargetUserName""]=""$($item)""]]</Select></Query></QueryList>";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue -Credential $Creds | Select Message;
} else {
$xmlFilter = "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624)] and EventData[Data[@Name=""TargetUserName""]=""$($item)""]]</Select></Query></QueryList>";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue | Select Message;
}
if($data) {
ForEach($entry in $data) {
Write-Output "`n[+] Event found"
If($FullMessage) {
Write-Output $entry.Message
} Else {
ForEach($Line in $entry.Message.Split("`n")) {
$Line | Select-String -Pattern "Account Name:"
$Line | Select-String -Pattern "Account Domain:"
$Line | Select-String -Pattern "Security ID:"
$Line | Select-String -Pattern "Source Network Address:"
$Line | Select-String -Pattern "Workstation Name:"
$Line | Select-String -Pattern "Process Name:"
}
}
}
} else {
Write-Output "[-] No event found on $($dc)..."
}
}
}
}
END {
Write-Output "[+] Process completed..."
}
}