forked from MrAnde7son/PowerShell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathInvoke-PtHDetection.ps1
44 lines (36 loc) · 1.12 KB
/
Invoke-PtHDetection.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<#
Author: Itamar Mizrahi (@MrAnde7son)
License: GNU v3
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-PtHDetection
{
<#
.SYNOPSIS
Returns potentially Pth events through event log parsing. credit to @HackingDave for the detection technique.
Author: Itamar Mizrahi (@MrAnde7son)
License: GNU v3
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
.PARAMETER
.EXAMPLE Invoke-PtHDetection
#>
[CmdletBinding()]
param
(
)
$pthEvents = @()
$Events = Get-WinEvent -FilterHashtable @{LogName='Security';'Id'=4624,4625}
foreach ($event in $Events){
$eventxml = ([xml]$event.ToXml()).Event.EventData.Data
$LogonType = $eventxml.GetValue(8).'#text'
$LogonProcessName = $eventxml.GetValue(9).'#text'
$KeyLength = $eventxml.GetValue(15).'#text'
if ($LogonType -eq 3 -and $LogonProcessName -eq 'NtLmSsp' -and $KeyLength -eq 0){
$pthEvents += $event
}
}
return $pthEvents
}