# Authors: Ryan DeVries, Drew Bonasera, Scott Smith # Rochester Institute of Technology - Computer System Forensics # Modified to do single or all users, console or redirect to a file: David (Micro Thunder) # Variables # Reads the hostname, sets to the local hostname if left blank $hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)" if ($hostname.length -eq 0){$hostname = $env:computername} # Reads the start date, sets to 1/1/2000 if left blank $startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000)" if ($startTmp.length -eq 0){$startTmp = "1/1/2000"} $startDate = get-date $startTmp # Reads the end date, sets to the current date and time if left blank $endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)" if ($endTmp.length -eq 0){$endTmp = get-date} $endDate = get-date $endTmp # Reads a user name, defaults to all $uname = read-host "UserName or ALL (Username, default all)" if ($uname.length -eq 0){$uname = "All"} # Reads a Yes or No response to print only the failed login attempts, defaults to No $scope = read-host "Print only failed logins (Y/N, default N)" if ($scope.length -eq 0){$scope = "N"} # Writes a line with all the parameters selected for report write-output ("Hostname: "+$hostname +"`tStart: "+$startDate +"`tEnd: "+$endDate +"`tUser: "+$uname +"`tOnly Failed Logins: "+$scope +"`n") # Store each event from the Security Log with the specificed dates and computer in an array $log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate # Loop through each security event, print only failed login attempts if ($scope -match "Y"){ foreach ($i in $log){ # Logon Failure Events, marked red # Local if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ write-output ("Local Logon`t "+$i.TimeGenerated +"`tFAILURE`t "+$i.ReplacementStrings[5]) } # Remote if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ write-output ("Remote Logon`t "+$i.TimeGenerated +"`tFAILURE`t "+$i.ReplacementStrings[5] +"`tIP: "+$i.ReplacementStrings[19]) } } } # Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote else{ foreach ($i in $log){ #write-output ($i.message) # User if (($uname -eq "All") -or (($i.ReplacementStrings[5] -eq $uname) -or ($i.ReplacementStrings[1] -eq $uname))){ # Logon Successful Events # Local (Logon Type 2) if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){ write-output ("Local Logon`t"+$i.TimeGenerated +"`tSuccess`t "+$i.ReplacementStrings[5]) } # Remote (Logon Type 10) if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){ write-output ("Remote Logon`t "+$i.TimeGenerated +"`tSuccess`t "+$i.ReplacementStrings[5] +"`tIP: "+$i.ReplacementStrings[18]) } # Logon Failure Events, marked red # Local if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ write-output ("Local Logon`t "+$i.TimeGenerated +"`tFAILURE`t "+$i.ReplacementStrings[5]) } # Remote if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ write-output ("Remote Logon`t "+$i.TimeGenerated +"`tFAILURE`t "+$i.ReplacementStrings[5] +"`tIP: "+$i.ReplacementStrings[19]) } # Logoff Events if ($i.EventID -eq 4647 ){ write-output ("Logoff`t`t "+$i.TimeGenerated +"`tSuccess`t "+$i.ReplacementStrings[1]) } } } }