0xSV1 · March 16, 2021 10:19
diff --git a/EventLogSearcher.cs b/EventLogSearcher.cs
 using System;
 using System.Collections.Generic;
 using System.Diagnostics.Eventing.Reader;
 using System.Text.RegularExpressions;
 using System.Threading;

 namespace EventLogSearcher
 {
    class Program
    {	
 		static void Main(string[] args)
        {
 			if (args.Length < 3)
            {
 				Console.WriteLine("[-] Missing args");
 				Console.WriteLine(" > EventLogSearcher <hostname-list> <username-regex> <max records to be returned>");
 				Console.WriteLine(" > EventLogSearcher dc1,dc2,dc3 \"admin|admin2|admin3\" 5");
 			}

 			Console.WriteLine("[+] EventLog app executed successfully: args = " + args[0] + " " + args[1] + " " + args[2] + "\r\n");

 			var strHostlist = args[0];
 			var strSearchRegex = args[1];
 			var strLimit = args[2];
 			var mreEvents = new List<ManualResetEvent>();

 			foreach (var varHost in strHostlist.Split(','))
 			{
 				var resetEvent = new ManualResetEvent(false);
 				ThreadPool.QueueUserWorkItem((state) =>
 				{
 					Query(varHost, strLimit, strSearchRegex);
 					resetEvent.Set();
 				});
 				mreEvents.Add(resetEvent);
 			}
 			WaitHandle.WaitAll(mreEvents.ToArray());
 		}
        static void Query(string strHostname, string strLimit, string strSearchRegex)
        {
 			int limit = int.Parse(strLimit);
 			int loopcount = 1;
 			try
 			{
 				string query = "*[System/EventID=4624]";
 				Console.WriteLine($"\n[+] Querying System/EventID=4624 on {strHostname} for regex: {strSearchRegex}");

 				EventLogSession session = new EventLogSession(strHostname);
 				EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);
 				eventsQuery.Session = session;
 				try
 				{
 					EventLogReader logReader = new EventLogReader(eventsQuery);

 					for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
 					{
 						Regex reg = new Regex(strSearchRegex);
 						Match match = reg.Match(eventdetail.ToXml().ToLower());
 						if (match.Success)
 						{
 							Regex regIPAddress = new Regex(@"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b");
 							Regex regSystemTime = new Regex(@"SystemTime...............................");
 							Match matchregIPAddress = regIPAddress.Match(eventdetail.ToXml());
 							Match matchregSystemTime = regSystemTime.Match(eventdetail.ToXml());
 							if (matchregIPAddress.Success && matchregSystemTime.Success)
 							{
 								Console.WriteLine($" > User='{match.Value}' logged onto IpAddress='{matchregIPAddress.Value}' at {matchregSystemTime.Value}");
 							}

 							if (loopcount >= limit)
 							{
 								break;
 							}
 							loopcount = loopcount + 1;
 						}
 					}
 				}
 				catch (EventLogNotFoundException e)
 				{
 					Console.WriteLine("[-] Error while reading the event logs:");
 					Console.WriteLine(e.Message);
 					return;
 				}
 			}
 			catch (Exception e)
 			{
 				Console.WriteLine(e.Message);
 			}
 		}
    }
 }
	using System;
	using System.Collections.Generic;
	using System.Diagnostics.Eventing.Reader;
	using System.Text.RegularExpressions;
	using System.Threading;

	namespace EventLogSearcher
	{
	class Program
	{
	static void Main(string[] args)
	{
	if (args.Length < 3)
	{
	Console.WriteLine("[-] Missing args");
	Console.WriteLine(" > EventLogSearcher <hostname-list> <username-regex> <max records to be returned>");
	Console.WriteLine(" > EventLogSearcher dc1,dc2,dc3 \"admin\|admin2\|admin3\" 5");
	}

	Console.WriteLine("[+] EventLog app executed successfully: args = " + args[0] + " " + args[1] + " " + args[2] + "\r\n");

	var strHostlist = args[0];
	var strSearchRegex = args[1];
	var strLimit = args[2];
	var mreEvents = new List<ManualResetEvent>();

	foreach (var varHost in strHostlist.Split(','))
	{
	var resetEvent = new ManualResetEvent(false);
	ThreadPool.QueueUserWorkItem((state) =>
	{
	Query(varHost, strLimit, strSearchRegex);
	resetEvent.Set();
	});
	mreEvents.Add(resetEvent);
	}
	WaitHandle.WaitAll(mreEvents.ToArray());
	}
	static void Query(string strHostname, string strLimit, string strSearchRegex)
	{
	int limit = int.Parse(strLimit);
	int loopcount = 1;
	try
	{
	string query = "*[System/EventID=4624]";
	Console.WriteLine($"\n[+] Querying System/EventID=4624 on {strHostname} for regex: {strSearchRegex}");

	EventLogSession session = new EventLogSession(strHostname);
	EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);
	eventsQuery.Session = session;
	try
	{
	EventLogReader logReader = new EventLogReader(eventsQuery);

	for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
	{
	Regex reg = new Regex(strSearchRegex);
	Match match = reg.Match(eventdetail.ToXml().ToLower());
	if (match.Success)
	{
	Regex regIPAddress = new Regex(@"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b");
	Regex regSystemTime = new Regex(@"SystemTime...............................");
	Match matchregIPAddress = regIPAddress.Match(eventdetail.ToXml());
	Match matchregSystemTime = regSystemTime.Match(eventdetail.ToXml());
	if (matchregIPAddress.Success && matchregSystemTime.Success)
	{
	Console.WriteLine($" > User='{match.Value}' logged onto IpAddress='{matchregIPAddress.Value}' at {matchregSystemTime.Value}");
	}

	if (loopcount >= limit)
	{
	break;
	}
	loopcount = loopcount + 1;
	}
	}
	}
	catch (EventLogNotFoundException e)
	{
	Console.WriteLine("[-] Error while reading the event logs:");
	Console.WriteLine(e.Message);
	return;
	}
	}
	catch (Exception e)
	{
	Console.WriteLine(e.Message);
	}
	}
	}
	}