97 lines
3.1 KiB
PowerShell
97 lines
3.1 KiB
PowerShell
. (Join-Path $PSScriptRoot String-Helper.ps1)
|
|
. (Join-Path $PSScriptRoot Users.ps1)
|
|
|
|
<# ******************************
|
|
Function: get event logs from login and logouts
|
|
Input: time back to search
|
|
Output: Array of login/out objects
|
|
****************************** #>
|
|
function getLogInAndOffs($timeBack){
|
|
|
|
$loginouts = Get-EventLog system -source Microsoft-Windows-Winlogon -After (Get-Date).AddDays("-"+"$timeBack")
|
|
|
|
$loginoutsTable = @()
|
|
for($i=0; $i -lt $loginouts.Count; $i++){
|
|
|
|
$type = ""
|
|
if($loginouts[$i].InstanceID -eq 7001) {$type="Logon"}
|
|
if($loginouts[$i].InstanceID -eq 7002) {$type="Logoff"}
|
|
|
|
|
|
# Check if user exists first
|
|
$user = (New-Object System.Security.Principal.SecurityIdentifier `
|
|
$loginouts[$i].ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
|
|
|
|
$loginoutsTable += [pscustomobject]@{"Time" = $loginouts[$i].TimeGenerated; `
|
|
"Id" = $loginouts[$i].InstanceId; `
|
|
"Event" = $type; `
|
|
"User" = $user;
|
|
}
|
|
} # End of for
|
|
|
|
return $loginoutsTable
|
|
} # End of function getLogInAndOffs
|
|
|
|
|
|
|
|
|
|
<# ******************************
|
|
Function: get windows event logs for failed logins
|
|
Input: time to search back
|
|
Output: array of failed login objects
|
|
****************************** #>
|
|
function getFailedLogins($timeBack){
|
|
|
|
$failedlogins = Get-EventLog security -After (Get-Date).AddDays("-"+"$timeBack") | Where { $_.InstanceID -eq "4625" }
|
|
|
|
$failedloginsTable = @()
|
|
for($i=0; $i -lt $failedlogins.Count; $i++){
|
|
|
|
$account=""
|
|
$domain=""
|
|
|
|
$usrlines = getMatchingLines $failedlogins[$i].Message "*Account Name*"
|
|
$usr = $usrlines[1].Split(":")[1].trim()
|
|
|
|
$dmnlines = getMatchingLines $failedlogins[$i].Message "*Account Domain*"
|
|
$dmn = $dmnlines[1].Split(":")[1].trim()
|
|
|
|
$user = $dmn+"\"+$usr;
|
|
|
|
$failedloginsTable += [pscustomobject]@{"Time" = $failedlogins[$i].TimeGenerated; `
|
|
"Id" = $failedlogins[$i].InstanceId; `
|
|
"Event" = "Failed"; `
|
|
"User" = $user;
|
|
}
|
|
|
|
}
|
|
|
|
return $failedloginsTable
|
|
} # End of function getFailedLogins
|
|
|
|
|
|
|
|
<# ******************************************************
|
|
Functions: get at risk users, >10 failed logins in time frame
|
|
Input: time to search back
|
|
Output: array of users & numfailedlogin objects
|
|
********************************************************* #>
|
|
function getAtRiskUsers($timeBack){
|
|
$users = getEnabledUsers
|
|
$failedLogins = getFailedLogins $timeBack
|
|
|
|
$atRiskUsers = @()
|
|
|
|
for($i=0; $i -lt $users.Count; $i++){
|
|
$name = $users[$i].Name
|
|
$failCount = ($failedLogins | Where-Object { $_.User -ilike "*$name"} ).Count
|
|
if($failCount -ge 10){
|
|
$atRiskUsers += [pscustomobject]@{"User" = $name; `
|
|
"Failed Logins" = $failCount; }
|
|
}
|
|
|
|
}
|
|
|
|
return $atRiskUsers
|
|
|
|
}
|