Created
October 10, 2021 00:44
-
-
Save kewalaka/3688070aae82f9b6446f07ecd406910e to your computer and use it in GitHub Desktop.
Filter event ID 4760 - Kerberos se
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| This gist illustrates collecting event ID 4769 (auditing of Kerberos service tickets), | |
| placing these into a PSobject so they can be further analysed and filtered. | |
| Advanced auditing policies needs to be enabled for this event ID to be recorded in the security, | |
| specifically: Account Logon->Audit Kerberos Service Ticket Operations | |
| #> | |
| $maxEventsToFetch = 100 | |
| $filterXml = '<QueryList> | |
| <Query Id="0" Path="Security"> | |
| <Select Path="Security">*[System[(EventID=4769)]]</Select> | |
| </Query> | |
| </QueryList>' | |
| $4769events = Get-WinEvent -FilterXml $filterXml -MaxEvents $maxEventsToFetch | |
| $results = @() | |
| foreach ($logentry in $4769events) | |
| { | |
| # extract the event data in XML form, this allows easier parsing of the message contents | |
| $eventData = ([xml]$logentry.ToXml()).event.eventdata.data | |
| # convert the event data XML to a hashtable | |
| $hashtable = @{} | |
| $eventData | foreach { $hashtable[$_.Name] = $_."#text" } | |
| # add the time created from the log header | |
| $hashtable["TimeCreated"] = $logentry.TimeCreated | |
| # save the results as a PS object | |
| $results += [PSCustomObject]$hashtable | select TimeCreated, TargetUserName, TargetDomainName, ServiceName, TicketOptions, TicketEncryptionType, IPAddress,IPPort, Status, TransmittedServices | |
| } | |
| $results | ft -autosize |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment