Skip to content

Instantly share code, notes, and snippets.

@benpturner

benpturner/EventLogSearcher.cs

Last active March 6, 2024 09:50
Show Gist options
  • Save benpturner/33a365a25f5f1840c2964bc126cfc552 to your computer and use it in GitHub Desktop.
Save benpturner/33a365a25f5f1840c2964bc126cfc552 to your computer and use it in GitHub Desktop.
Download ZIP
Threaded EventLogSearcher for 4624 events
Raw
EventLogSearcher.cs
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Text.RegularExpressions;
using System.Threading;
namespace EventLogSearcher
{
class Program
{
static void Main(string[] args)
{
if (args.Length < 3)
{
Console.WriteLine("[-] Missing args");
Console.WriteLine(" > EventLogSearcher <hostname> <username-regex> <mac records to be returned> <verbose=1>");
Console.WriteLine(" > EventLogSearcher dc1 \"admin|admin2|admin3\" 5");
}
if (args.Length == 4)
{
verbose = args[3];
Console.WriteLine("[+] Verbose Mode Enabled");
} else
{
verbose = null;
}
Console.WriteLine("[+] EventLog app executed successfully: args = " + args[0] + " " + args[1] + " " + args[2] + "\r\n");
var strHostlist = args[0];
var strSearchRegex = args[1];
var strLimit = args[2];
var mreEvents = new List<ManualResetEvent>();
foreach (var varHost in strHostlist.Split(','))
{
var resetEvent = new ManualResetEvent(false);
ThreadPool.QueueUserWorkItem((state) =>
{
Query(varHost, strLimit, strSearchRegex);
resetEvent.Set();
});
mreEvents.Add(resetEvent);
}
WaitHandle.WaitAll(mreEvents.ToArray());
}
static void Query(string strHostname, string strLimit, string strSearchRegex)
{
int limit = int.Parse(strLimit);
int loopcount = 1;
try
{
string query = "*[System/EventID=4624]";
Console.WriteLine($"\n[+] Querying System/EventID=4624 on {strHostname} for regex: {strSearchRegex}");
EventLogSession session = new EventLogSession(strHostname);
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);
eventsQuery.ReverseDirection = true;
eventsQuery.Session = session;
try
{
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
{
Regex reg = new Regex(strSearchRegex);
Match match = reg.Match(eventdetail.ToXml().ToLower());
if (match.Success)
{
if (!String.IsNullOrEmpty(verbose)) {
Console.WriteLine(eventdetail.ToXml().ToString().Replace("<Data ","\n<Data "));
}
Regex regTargetUserName = new Regex(@"(?<=TargetUserName'>)(.*?)(?=<\/Data>)");
Regex regIPAddress = new Regex(@"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b");
Regex regSystemTime = new Regex(@"(?<=SystemTime=')(.*?)(?='\/>)");
Regex regLogonType = new Regex(@"(?<=LogonType'>)(.*?)(?=<\/Data>)");
Match matchregLogonType = regLogonType.Match(eventdetail.ToXml());
Match matchregTargetUserName = regTargetUserName.Match(eventdetail.ToXml());
Match matchregIPAddress = regIPAddress.Match(eventdetail.ToXml());
Match matchregSystemTime = regSystemTime.Match(eventdetail.ToXml());
if (matchregIPAddress.Success && matchregSystemTime.Success)
{
Console.WriteLine($" > RegexSearch='{match.Value}' User='{matchregTargetUserName.Value}' LogonType={matchregLogonType.Value} logged onto IpAddress='{matchregIPAddress.Value}' at {matchregSystemTime.Value}'");
}
if (loopcount >= limit)
{
break;
}
loopcount = loopcount + 1;
}
}
}
catch (EventLogNotFoundException e)
{
Console.WriteLine("[-] Error while reading the event logs:");
Console.WriteLine(e.Message);
return;
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment