close
事件識別碼 4624
附加工作到此紀錄檔中
輸入名稱 User Logon Email Notification
|
1
2
3
4
5
|
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]</Select></Query></QueryList> |
-WindowStyle Hidden C:\mis\logonactivity.ps1
# logonactivity.ps1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
# Variables# Path for HTML file output$txtfile = "c:\mis\LogonActivity.txt"$htmlfile = "c:\mis\LogonActivity.html"# Table Creation$LogonActivityTable = New-Object system.Data.DataTable “Logon/Logoff Activity”# Create Columns$date = New-Object system.Data.DataColumn "Date",([string])$type = New-Object system.Data.DataColumn "Type",([string])$status = New-Object system.Data.DataColumn "Status",([string])$user = New-Object system.Data.DataColumn "User",([string])$ipaddress = New-Object system.Data.DataColumn "IPAddress",([string])# Add Columns to Table$LogonActivityTable.columns.add($date)$LogonActivityTable.columns.add($type)$LogonActivityTable.columns.add($status)$LogonActivityTable.columns.add($user)$LogonActivityTable.columns.add($ipaddress)# Reads the hostname, sets to the local hostname if left blank# $hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)"$hostname = $env:computername # Reads the start date, sets to 1/1/2000 if left blank# $startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000)"# if ($startTmp.length -eq 0){$startTmp = "1/1/2000"}$startDate = get-date "1/1/2000" # Reads the end date, sets to the current date and time if left blank# $endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)"# if ($endTmp.length -eq 0){$endTmp = get-date}$endDate = get-date # Reads a Yes or No response to print only the failed login attempts, defaults to No# $scope = read-host "Print only failed logins (Y/N, default N)"$scope = "N" # Reads a the requested output type# $output = read-host "Output Type ((T)able, (G)ridview, (H)TML, default List)"$output = "H" # Writes a line with all the parameters selected for reportwrite-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n"# Store each event from the Security Log with the specificed dates and computer in an array$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate # Loop through each security event, print only failed login attemptsif ($scope -match "Y"){ foreach ($i in $log){ # Logon Failure Events # Local if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logon - Local" $row.status = "Failure" $row.user = $i.ReplacementStrings[5] $row.ipaddress = "" # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } # Remote if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logon - Remote" $row.status = "Failure" $row.user = $i.ReplacementStrings[5] $row.ipaddress = $i.ReplacementStrings[19] # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } }}# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remoteelse{ foreach ($i in $log){ # Logon Successful Events # Local (Logon Type 2) if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logon - Local" $row.status = "Success" $row.user = $i.ReplacementStrings[5] $row.ipaddress = "" # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } # Remote (Logon Type 10) if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logon - Remote" $row.status = "Success" $row.user = $i.ReplacementStrings[5] $row.ipaddress = $i.ReplacementStrings[18] # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } # Logon Failure Events # Local if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logon - Local" $row.status = "Failure" $row.user = $i.ReplacementStrings[5] $row.ipaddress = "" # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } # Remote if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logon - Remote" $row.status = "Failure" $row.user = $i.ReplacementStrings[5] $row.ipaddress = $i.ReplacementStrings[19] # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } # Logoff Events if ($i.EventID -eq 4647 ){ # Create a Row $row = $LogonActivityTable.NewRow() # Enter Data into the Row $row.date = $i.TimeGenerated $row.type = "Logoff" $row.status = "Success" $row.user = $i.ReplacementStrings[1] $row.ipaddress = "" # Add the Row to the Table $LogonActivityTable.Rows.Add($row) } }}# Outputs# Tableif ($output -match "T"){ $LogonActivityTable | Format-Table | Out-File $txtfile}# HTMLelseif ($output -match "H"){ # HTML Styles $style = "&lt;style&gt;" $style = $style + "BODY{background-color:#F2F2F2;}" $style = $style + "TABLE{border-width: 1px;border-style: solid;border-color: black;}" $style = $style + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:#BDBDBD}" $style = $style + "TD{border-width: 1px;padding: 5px;border-style: solid;border-color: black;background-color:#D8D8D8}" $style = $style + "&lt;/style&gt;" $LogonActivityTable | Select-Object Date, Type, Status, User, IPAddress | ConvertTo-html | Out-File $htmlfile # Invoke-Expression $htmlfile}# Grid Viewelseif ($output -match "G"){ $LogonActivityTable | Out-GridView -Title "Logon Activity"}# Default output, returns the table object in list form by defaultelse{ $LogonActivityTable}function sendMail{ Write-Host “Sending Email” #SMTP server name $smtpServer = “必填 “ #Creating a Mail object $msg = new-object Net.Mail.MailMessage #Creating SMTP server object $smtp = new-object Net.Mail.SmtpClient($smtpServer) #Email structure $msg.From = “xxx@xxx.com.tw” $msg.ReplyTo = “xxx@xxx.com.tw” $msg.To.Add(“xxx@gmail.com”) $msg.IsBodyHtml = $True $msg.subject = “[Logon Notification] ” $msg.body = Get-Content ("c:\mis\LogonActivity.html") #Sending email $smtp.Send($msg)}#Calling functionsendMail |
文章標籤
全站熱搜
留言列表
