事件識別碼 4624
附加工作到此紀錄檔中
輸入名稱 User Logon Email Notification
|
1
2
3
4
5
|
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]</Select></Query></QueryList> |
-WindowStyle Hidden C:\mis\logonactivity.ps1
# logonactivity.ps1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
# Variables# Path for HTML file outputtxtfile = "c:\mis\LogonActivity.txt"htmlfile = "c:\mis\LogonActivity.html"# Table CreationLogonActivityTable = New-Object system.Data.DataTable “Logon/Logoff Activity”# Create Columnsdate = New-Object system.Data.DataColumn "Date",([string])type = New-Object system.Data.DataColumn "Type",([string])status = New-Object system.Data.DataColumn "Status",([string])user = New-Object system.Data.DataColumn "User",([string])ipaddress = New-Object system.Data.DataColumn "IPAddress",([string])# Add Columns to TableLogonActivityTable.columns.add(date)LogonActivityTable.columns.add(type)LogonActivityTable.columns.add(status)LogonActivityTable.columns.add(user)LogonActivityTable.columns.add(ipaddress)# Reads the hostname, sets to the local hostname if left blank# hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)"hostname = env:computername # Reads the start date, sets to 1/1/2000 if left blank# startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000)"# if (startTmp.length -eq 0){startTmp = "1/1/2000"}startDate = get-date "1/1/2000" # Reads the end date, sets to the current date and time if left blank# endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)"# if (endTmp.length -eq 0){endTmp = get-date}endDate = get-date # Reads a Yes or No response to print only the failed login attempts, defaults to No# scope = read-host "Print only failed logins (Y/N, default N)"scope = "N" # Reads a the requested output type# output = read-host "Output Type ((T)able, (G)ridview, (H)TML, default List)"output = "H" # Writes a line with all the parameters selected for reportwrite-host "Hostname: "hostname "`tStart: "startDate "`tEnd: "endDate "`tOnly Failed Logins: "scope "`n"# Store each event from the Security Log with the specificed dates and computer in an arraylog = Get-Eventlog -LogName Security -ComputerName hostname -after startDate -before endDate # Loop through each security event, print only failed login attemptsif (scope -match "Y"){ foreach (i in log){ # Logon Failure Events # Local if ((i.EventID -eq 4625 ) -and (i.ReplacementStrings[10] -eq 2)){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logon - Local" row.status = "Failure" row.user = i.ReplacementStrings[5] row.ipaddress = "" # Add the Row to the Table LogonActivityTable.Rows.Add(row) } # Remote if ((i.EventID -eq 4625 ) -and (i.ReplacementStrings[10] -eq 10)){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logon - Remote" row.status = "Failure" row.user = i.ReplacementStrings[5] row.ipaddress = i.ReplacementStrings[19] # Add the Row to the Table LogonActivityTable.Rows.Add(row) } }}# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remoteelse{ foreach (i in log){ # Logon Successful Events # Local (Logon Type 2) if ((i.EventID -eq 4624 ) -and (i.ReplacementStrings[8] -eq 2)){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logon - Local" row.status = "Success" row.user = i.ReplacementStrings[5] row.ipaddress = "" # Add the Row to the Table LogonActivityTable.Rows.Add(row) } # Remote (Logon Type 10) if ((i.EventID -eq 4624 ) -and (i.ReplacementStrings[8] -eq 10)){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logon - Remote" row.status = "Success" row.user = i.ReplacementStrings[5] row.ipaddress = i.ReplacementStrings[18] # Add the Row to the Table LogonActivityTable.Rows.Add(row) } # Logon Failure Events # Local if ((i.EventID -eq 4625 ) -and (i.ReplacementStrings[10] -eq 2)){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logon - Local" row.status = "Failure" row.user = i.ReplacementStrings[5] row.ipaddress = "" # Add the Row to the Table LogonActivityTable.Rows.Add(row) } # Remote if ((i.EventID -eq 4625 ) -and (i.ReplacementStrings[10] -eq 10)){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logon - Remote" row.status = "Failure" row.user = i.ReplacementStrings[5] row.ipaddress = i.ReplacementStrings[19] # Add the Row to the Table LogonActivityTable.Rows.Add(row) } # Logoff Events if (i.EventID -eq 4647 ){ # Create a Row row = LogonActivityTable.NewRow() # Enter Data into the Row row.date = i.TimeGenerated row.type = "Logoff" row.status = "Success" row.user = i.ReplacementStrings[1] row.ipaddress = "" # Add the Row to the Table LogonActivityTable.Rows.Add(row) } }}# Outputs# Tableif (output -match "T"){ LogonActivityTable Format-Table Out-File txtfile}# HTMLelseif (output -match "H"){ # HTML Styles style = "&lt;style&gt;" style = style + "BODY{background-color:#F2F2F2;}" style = style + "TABLE{border-width: 1px;border-style: solid;border-color: black;}" style = style + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:#BDBDBD}" style = style + "TD{border-width: 1px;padding: 5px;border-style: solid;border-color: black;background-color:#D8D8D8}" style = style + "&lt;/style&gt;" LogonActivityTable Select-Object Date, Type, Status, User, IPAddress ConvertTo-html Out-File htmlfile # Invoke-Expression htmlfile}# Grid Viewelseif (output -match "G"){ LogonActivityTable Out-GridView -Title "Logon Activity"}# Default output, returns the table object in list form by defaultelse{ LogonActivityTable}function sendMail{ Write-Host “Sending Email” #SMTP server name smtpServer = “必填 “ #Creating a Mail object msg = new-object Net.Mail.MailMessage #Creating SMTP server object smtp = new-object Net.Mail.SmtpClient(smtpServer) #Email structure msg.From = “xxx@xxx.com.tw” msg.ReplyTo = “xxx@xxx.com.tw” msg.To.Add(“xxx@gmail.com”) msg.IsBodyHtml = True msg.subject = “[Logon Notification] ” msg.body = Get-Content ("c:\mis\LogonActivity.html") #Sending email smtp.Send(msg)}#Calling functionsendMail |
文章標籤
全站熱搜
