-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAnalyzeADFSSecurityLogs.ps1
140 lines (90 loc) · 3.9 KB
/
AnalyzeADFSSecurityLogs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
param(
[Parameter()]
$LogPath,
$MaxEvents=1000000000,
$UserAuthsThreshold=5,
$IPAuthsThreshold=20,
$CreateCSV=$True
)
#Project DREW
if (-not ($LogPath)) { "Please specify an EVTX archive to analyze";break }
if (-not (test-path $LogPath)) { "File $Logpath not found";break }
#Archive file to read
#Temporary files
$Temp411=".\Temp411.evtx"
$Temp500=".\Temp500.evtx"
Function DedupIPs ($IPArray) {
$ReturnArray=@()
#$MicrosoftIPs="40.97.176.229","52.96.19.45"
$IPArray = $IPArray | Sort-Object -Unique
$IPArray | ForEach {
if ($MicrosoftIPs -notcontains $_) {
$ReturnArray+=$_
}
}
$ReturnArray
}
Function ExpandForCSV ($object) {
$Props=$object | get-member -MemberType NoteProperty
$NewObject = new-object PSObject
$Props | foreach {
$Prop=$_.Name
$object | foreach {
if (($_.$Prop).count -gt 1) {$_.$Prop=$_.$Prop -join ", "}
}
}
$object
}
write-warning "$(get-date) Creating Filtered logs ..."
wevtutil epl /lf:true $LogPath $Temp411 /q:"Event[System[(EventID=411)]]" /overwrite:true
wevtutil epl /lf:true $LogPath $Temp500 /q:"Event[System[(EventID=500)]]" /overwrite:true
write-warning "$(get-date) Loading Event data (may take a while) ..."
$data=Get-WinEvent -Path $Temp411 -MaxEvents $MaxEvents
$data500=Get-WinEvent -Path $Temp500 -MaxEvents $MaxEvents
write-warning "$(get-date) Analyzing Data...."
$EntryInfo=@()
$data | foreach {
$username=($_.Properties[2].value -split "-")[0]
$EntryInfo += new-object PSObject -property ([ordered]@{
"Username" = $username
"IPs" = $_.Properties[-1].value -split ","
"ErrorMsg" = ($_.Properties[2].value -split "-")[1]
"Endpoint" = $_.Properties[1].value
"CorrelationID" = $_.Properties[0].value
"Server" = $_.MachineName
"TimeCreated" = $_.TimeCreated
"RecordID" = $_.RecordID
}) #new-object
}
$FormatEnumerationLimit=-1
# By user
$Report=$EntryInfo | Group-Object -Property Username | Sort-Object Count -Descending | Where Count -ge $UserAuthsThreshold
$Report | % { $_ | Add-Member -Name IPs -Value (DedupIPs -IPArray ($_.Group).IPs) -MemberType NoteProperty }
$Report | % { $_ | Add-Member -Name TimeCreated -Value ($_.Group).TimeCreated -MemberType NoteProperty }
$Report | % { $_ | Add-Member -Name LastSuccessfulLogin -Value ($($Username=$_.name;$CheckLogin=($data500 | where { ($_.Properties[2].value -split "-")[0] -eq $Username }); if ($CheckLogin) { ($CheckLogin | Sort-Object TimeCreated -Descending)[0].TimeCreated } )) -MemberType NoteProperty }
$Report | FL Name,Count,IPs,TimeCreated,LastSuccessfulLogin
if ($CreateCSV) {
ExpandForCSV ($Report) | Select Name,Count,IPs,TimeCreated,LastSuccessfulLogin | export-csv Logins.csv -NoTypeInformation
Write-Warning "Created Logins.csv"
}
Write-Warning "Accounts of Interest: "
$Report |where LastSuccessfulLogin -ne $null| FL Name,Count,IPs,TimeCreated,LastSuccessfulLogin
#By IP
Write-Warning "IPs of Interest: "
$UniqueIPs= DedupIPs -IPArray $EntryInfo.IPs
$IPInfo=@()
$UniqueIPs | foreach {
$IPMatch=($EntryInfo | where IPs -contains $_)
$IPInfo+= new-object PSObject -property ([ordered]@{
"IP" = $_
"Users" = $IPMatch.UserName | Sort-Object -Unique
"Count" = $IPMatch.count
"Server" = $IPMatch.Server | Sort-Object -Unique
}) #new-object
}
$IPInfo | where Count -ge $IPAuthsThreshold | Sort-Object Count | Select IP,Count,Users
if ($CreateCSV) {
ExpandForCSV ($IPInfo | where Count -ge $IPAuthsThreshold | Sort-Object Count) | Select IP,Server,Users,Count | export-csv IPreport.csv -NoTypeInformation
Write-Warning "Created IPReport.csv"
}