This one was a bit tricky. The idea is to match a logon event of a user to one of a client via a common piece of data. That data is the IP address.
This code is not thoroughly tested. It utilizes the Security logs from a Domain controller. It looks for event 4768. Both the user login and the client login will contain an IP address inside the message portion. It then looks through the records to match User Name and Client Name using the IP Address. A few things to consider:
1) This will need to be executed against each Domain Controller. Since you do not know which DC the client is bound to, your will need to check all of them.
2) In a large environment with large security logs, this will take some time.
3) The code is not optimized. I’ll leave that fun up to you.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | # Creates the object that will be used to store information from the event logs. Function New-LogObject { $Obj = New-Object -TypeName PSObject -Property @{ "UserName" = $Null "IPAddress" = $Null "Record" = $Null "Client" = $Null "TimeGenerated" = $Null
} Write-Output $Obj }
# Creates an object that will be the final product of this code. Function New-MatchObject { $Obj = New-Object -TypeName PSObject -Property @{ "UserName" = $Null "Client" = $Null "TimeGenerated" = $Null
} Write-Output $Obj }
# Retrieve the first 100 events of event ID 4768 $Events = Get-EventLog -LogName Security -InstanceId 4768 -Newest 100
# Allocates dynamic memory. $Data = @()
# Loop through each event and identify the key parts. ForEach ($E in $Events) {
# User Record. If ((($E.Message).Split("`n"))[3] -notlike "*$*") { $Obj = New-LogObject
# Extract the username. $Obj.UserName = (($E.Message).Split("`n"))[3].Replace("Account Name:",$Null).Trim()
# Extract the IP Address. If ((($E.Message).Split("`n"))[12] -match "\d+.\d+.\d+.\d+") { $Obj."IPAddress" = $Matches.Values }
$Obj.Record = "User" $Obj.TimeGenerated = $E.TimeGenerated } ElseIf ((($E.Message).Split("`n"))[3] -like "*$*") { $Obj = New-LogObject
# Extract the username. $Obj.Client = (($E.Message).Split("`n"))[3].Replace("Account Name:",$Null).Trim()
# Extract the IP Address. If ((($E.Message).Split("`n"))[12] -match "\d+.\d+.\d+.\d+") { $Obj."IPAddress" = $Matches.Values }
$Obj.Record = "Client" }
# Record the object in the Dynamic memory. $Data += $Obj } # END: ForEach ($E in $Events)
# Compare records and match users to clients. $Data2 = @() For ($X=0 ;$X -lt $Data.count; $X++) { For ($Y = $X+1; $Y -lt $Data.count; $Y++) { If (($Data[$X].IPAddress -eq $Data[$Y].IPAddress) -and ($Data[$X].Record -eq "User") -and ($Data[$Y].Record -eq "Client")) { $Obj = New-MatchObject $Obj.UserName = $Data[$X].UserName $Obj.Client = $Data[$Y].Client $Obj.TimeGenerated = $Data[$X].TimeGenerated
$Data2 += $Obj } } }
$Data2 | Sort-Object -Property TimeGenerated -Unique -Descending |
Comments