Skip to content

Instantly share code, notes, and snippets.

@forkwhilefork
Last active August 3, 2022 20:25
Show Gist options
  • Save forkwhilefork/6d62f4830d8c4f1385ef6fd3e02b0547 to your computer and use it in GitHub Desktop.
Save forkwhilefork/6d62f4830d8c4f1385ef6fd3e02b0547 to your computer and use it in GitHub Desktop.
This scripts listens for RDP login events and then sends an SMS message with the public IP of the computer that logged in.
# this script only works while the console you run it in is still open,
# so I made a scheduled task that starts on system startup and runs as SYSTEM.
# the only think you have to do that's a little weird is with the action:
# program: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
# arguments: -NoExit "C:\path\to\file\login-listener.ps1"
# this object will generate an event any time there's a new entry in the event viewer
# those are two different contextual meanings of the word "event" btw
$EventWatcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
# gotta enable it for some reason - it doesn't work otherwise
$EventWatcher.Enabled = $True
# define the action that is done when we get an event
$action = {
# the event we're looking for is number 131
if ($event.SourceEventArgs.EventRecord.Id -eq 131) {
function Send-SMS
(
[Parameter(Mandatory=$true)][String]$To,
[Parameter(Mandatory=$true)][String]$Message
)
{
# Set in Twilio account info
$sid = "TWILIO_ACCOUNT_SID"
$token = "TWILIO_AUTH_TOKEN"
$from = "NUMBER_TO_SEND_FROM" # should be in E.164 format
# Twilio API endpoint and POST params
$url = "https://api.twilio.com/2010-04-01/Accounts/$sid/Messages.json"
$params = @{ To = $To; From = $from; Body = $Message }
# Create a credential object for HTTP basic auth
$p = $token | ConvertTo-SecureString -asPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($sid, $p)
# Make API request, selecting JSON properties from response
Invoke-WebRequest $url -Method Post -Credential $credential -Body $params -UseBasicParsing |
ConvertFrom-Json | Select *
}
# the value in the event log is the IP and port, so we need to extract the IP so we can do a reverse DNS lookup
# this will not work for IPv6 since we're splitting on ":"
$IP = $myevent.SourceEventArgs.EventRecord.Properties[1].Value.Split("{:}")[0]
# try to get reverse DNS but don't fail if we can't
try
{
# for some reason this step was really slow (2+ seconds) on my computer unless I hardcoded the DNS server
# that could just be an issue for me, I didn't really feel like delving into it
$reverse = Resolve-DnsName $IP -Server 1.1.1.1
}
catch
{
$reverse = $False
}
if ($reverse) {
$output = "New RDP connection to YOUR_SERVER_NAME_HERE from " + $IP + " (" + $reverse.NameHost + ")."
} else {
$output = "New RDP connection to YOUR_SERVER_NAME_HERE from " + $IP + "."
}
# if you want to send messages to more than one number, just duplicate the following line
Send-SMS -To "DESTINATION_NUMBER_HERE" -Message $output # "To" number should be in E.164 format
}
}
# finally, watch the object we defined at the beginning for "EventRecordWritten" events and execute $action when we get one
Register-ObjectEvent $EventWatcher EventRecordWritten -SourceIdentifier CheckEventRecordWritten1 -Action $action
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment