# Authors: Ryan DeVries, Drew Bonasera, Scott Smith
# Rochester Institute of Technology - Computer System Forensics
# Variables
# Reads the hostname, sets to the local hostname if left blank
Clear-Host
$hostname = read-host "Escribe la IP o hostname del equipo a escanear (En blanco para local)"
if ($hostname.length -eq 0){$hostname = $env:computername}
# Reads the start date, sets to 1/1/2000 if left blank
$startTmp = read-host "Fecha de inicio de busqueda (DD/MM/YYYY, default 1/1/2000)"
if ($startTmp.length -eq 0){$startTmp = "1/1/2000"}
$startFecha = get-date $startTmp
# Reads the end date, sets to the current date and time if left blank
$endTmp = read-host "Fecha de fin de busqueda (DD/MM/YYYY, default current time)"
if ($endTmp.length -eq 0){$endTmp = get-date}
$endDate = get-date $endTmp
# Reads a Yes or No response to print only the failed login attempts, defaults to No
$scope = read-host "¿Imprimir solo ACCESOS FALLIDOS? (Y/N, default N)"
if ($scope.length -eq 0){$scope = "N"}
# Writes a line with all the parameters selected for report
write-host "Equipo: "$hostname "`tDesde: "$startFecha "`tHasta: "$endDate "`tSolo inicios fallidos: "$scope "`n"
# Store each event from the Security Log with the specificed dates and computer in an array
$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startFecha -before $endDate
# Loop through each security event, print only failed login attempts
if ($scope -match "Y"){
foreach ($i in $log){
# Logon Failure Events, marked red
# Local
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){
write-host "Tipo:Inicio Local`tFecha:"$i.TimeGenerated "`tEstado:Fallido`tUsuario:"$i.ReplacementStrings[5] -foregroundcolor "red"
}
# Remote
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){
write-host "Tipo:Inicio Remoto`tFecha:"$i.TimeGenerated "`tEstado:Fallido`tUsuario:"$i.ReplacementStrings[5] "`tDireccion IP:"$i.ReplacementStrings[19] -foregroundcolor "red"
}
}
}
# Loop through each security event, print all login/logoffs with Tipo, date/time, status, account name, and IP address if remote
else{
foreach ($i in $log){
# Logon Successful Events
# Local (Logon Tipo 2)
if ($i.ReplacementStrings[5] -notlike 'DWM*') {
if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){
write-host "Tipo:Acceso Local`tFecha:"$i.TimeGenerated "`tEstado:Correcto`t`tUsuario:"$i.ReplacementStrings[5]
}
# Remote (Logon Tipo 10)
if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){
write-host "Tipo:Inicio Remoto`tFecha:"$i.TimeGenerated "`tEstado:Correcto`t`tUsuario:"$i.ReplacementStrings[5] "`tIP Address:"$i.ReplacementStrings[18]
}
# Logon Failure Events, marked red
# Local
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){
write-host "Tipo:Acceso Local`tFecha:"$i.TimeGenerated "`tEstado:Fallido`t`tUsuario:"$i.ReplacementStrings[5] -foregroundcolor "red"
}
# Remote
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){
write-host "Tipo:Acceso Remoto`tFecha:"$i.TimeGenerated "`tEstado:Fallido`t`tUsuario:"$i.ReplacementStrings[5] "`tIP Address:"$i.ReplacementStrings[19] -foregroundcolor "red"
}
# Logoff Events
if ($i.EventID -eq 4647 ){
write-host "Tipo:Desconexion`tFecha:"$i.TimeGenerated "`tEstado:Correcto`t`tUsuario:"$i.ReplacementStrings[1]
}
}
}
}
Un saludo
No hay comentarios:
Publicar un comentario