Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, January 10, 2018

Getting Hacked in Security+

This week we had a little surprise when we were working on the auditing component of our Security+ class here in North Carolina.  The labs this week are built in Azure and I gave each one a public IP address.  On Wednesday afternoon with the VMs online since Monday, we took a look at the failure login attempts.  We got a big surprise with over 11,000 bad logon attempts. 

We then started the second set of VMs fresh.  It took about 10 minutes until we started to see the attempts to access those VMs.  If this does not tell you we operate in a hostile environment, nothing will.  Here is the PowerShell code that we used and the results on the systems online for 10 minutes.

Get-EventLog -LogName Security -InstanceId 4625 |
    Select-Object -Property TimeGenerated,
    @{N="AccountName";E={$_.Message.Split("`n")[12].Replace("Account Name:",$Null).Trim()}},
    @{N="Domain";E={$_.Message.Split("`n")[13].Replace("Account Domain:",$Null).Trim()}},
    @{N="Source";E={$_.Message.Split("`n")[26].Replace("Source Network Address:   ",$Null).Trim()}} 

TimeGenerated        AccountName   Domain Source       
-------------        -----------   ------ ------       
1/10/2018 6:23:36 PM administrator adatum 12.220.254.194
1/10/2018 6:20:09 PM Administrator Adatum -            
1/10/2018 6:20:09 PM Administrator Adatum -            
1/10/2018 6:13:07 PM ADMINISTRATOR        208.110.81.186
1/10/2018 6:12:52 PM ADMINISTRATOR        86.109.122.130
1/10/2018 6:08:53 PM -             -      -            
1/10/2018 6:08:53 PM -             -      -            
1/10/2018 6:05:54 PM Administrator Adatum -            
1/10/2018 6:05:54 PM Administrator Adatum -            
1/10/2018 2:37:23 PM Administrator Adatum -            
1/10/2018 2:37:23 PM Administrator Adatum -  

Let’s find out how many bad logon attempts there were.

Get-EventLog -LogName Security -InstanceId 4625 |
    Select-Object -Property TimeGenerated,
    @{N="AccountName";E={$_.Message.Split("`n")[12].Replace("Account Name:",$Null).Trim()}},
    @{N="Domain";E={$_.Message.Split("`n")[13].Replace("Account Domain:",$Null).Trim()}},
    @{N="Source";E={$_.Message.Split("`n")[26].Replace("Source Network Address:   ",$Null).Trim()}} |
    Measure-object

Count    : 13486
Average  :
Sum      :
Maximum  :
Minimum  :
Property : 


Here is the code to provide a list of all attempted user names.

Get-EventLog -LogName Security -InstanceId 4625 |
    Select-Object -Property TimeGenerated,
    @{N="AccountName";E={$_.Message.Split("`n")[12].Replace("Account Name:",$Null).Trim()}},
    @{N="Domain";E={$_.Message.Split("`n")[13].Replace("Account Domain:",$Null).Trim()}},
    @{N="Source";E={$_.Message.Split("`n")[26].Replace("Source Network Address:   ",$Null).Trim()}} |
    Select-object -Property AccountName -Unique |
    Sort-Object -Property AccountName


There was 2137 as of the writing of this article.



No comments: