Security auditing on the server. Search by magazine safety. Power Powershell

Audit log the security helped my colleague to control almost any actions of the employees who have at least some access server or ActiveDirectory.

The topic will be a lot of code, which I hope will be helpful.

The first task must be to define the list of events that must be traced. To reduce the amount of text, I created a procedure that gives the event ID to the description:

the 
Function DefineReason ($Id){
switch ($Id){
4741{ Return "Created a computer account"}
4742{ Return "Changed computer account" }
4743{ Return "Deleted the computer account"}
4727{ Return "global group was Created security enabled"}
4728{ Return "user Added to global group security enabled"}
4729{ Return "Deleted user from the global group security enabled"}
4730{ Return "global group was Deleted security enabled"}
4731{ Return "local group Created security enabled"}
4732{ Return "Added user to local group security enabled"}
4733{ Return "user Removed from local group security enabled"}
4734{ Return "local group was Deleted security enabled"}
4735{ Return "local group Changed security enabled"}
4737{ Return "global group Changed security enabled"}
4743{ Return "Deleted the computer account"}
4754{ Return "Created universal group security-enabled" }
4755{ Return "Changed universal group security-enabled"}
4756{ Return "Added user to a universal group security-enabled"}
4757{ Return "Removed a user from a universal group security-enabled"}
4758{ Return "universal group was Deleted security enabled"}
4764{ Return "a group type was Changed"}
4720{ Return "account Created"}
4722{ Return "account is Enabled"}
4724{ Return "Reset user password"}
4725{ Return "the user Account is disabled"}
4726{ Return "user Account deleted"}
4738{ Return "Modified account"}
4740{ Return "user Account locked"}
4767{ Return "user Account unlocked"}
4780{ Return "ACL was set on accounts which are members of the administrators group"}
4781{ Return "has Been changed the account name"}
4794{ Return "an attempt was made to set directory services restore"}
5376{ Return "credential Manager: credential was stored"}
5377{ Return "credential Manager: credential was restored from backup"}
4825{ Return "denied access to the remote rabochem the table is not included in the RDP group"}
1102{ Return "Deleted the Security log"}
}
}

Then it took to describe the events that are tracked access mask:

the 
# a function to determine the description of events in the access mask

DefineReasonByAccessMask Function ($AccessMask){
switch($AccessMask){
"0xc0000064" { Return "username exists" }
"0xc000006A" { Return "valid name, but not the correct password"}
"0xc0000234" { Return "User blocked" }
"0xc0000072" { Return "Account disabled"}
"0xc0000006F" { Return "Entrance outside of business hours"}
"0xc00000070" { Return "Limit local station"}
"0xc00000193" { Return "the validity of the account has expired"}
"0xc00000071" { Return "password has Expired"}
"0xc00000224" { Return "user Must change password at next logon"}
"0xc000015b" { Return "the User is denied login on this machine"}
"0xc000006d" { Return "Invalid password"}
}
}

Now we know what they want to watch. The next step in the development of the script audit is to retrieve the security log in the XML format, as if a lot of events, it row-by-row processing takes a large amount of time.

To get events from the log, you can use one of the commands, each of which has its advantages and disadvantages:

1. Get-LogEvent security


Advantages:

— quick access to event properties;
— do not need pre-processing to access the event properties.

Disadvantages:

— access only to the system security log, which is stored at the path: Windows/System32/winevt/security.evtx;
— long processing of the tag content . Processing occurs line by separation with the elimination of special characters.

2. Get-WinEvent –path “D:/”


Advantages:

— fast processing of log;
— access to any journal. The main thing is to specify the full path.

Disadvantages:

— for processing of the obtained log is some pre-processing.

the 
Try {
$Events = Get-WinEvent -FilterHashTable $MyFilter
} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events)
{ 
Try{
$EventXML = [xml]$Raw_Event.ToXML()
} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

The next step after we gained access to the journal, this extract from the log the required events and make appropriate decisions. In most cases, is the sending of information messages by e-mail or logging into a separate file.

To set the parameters by which we will pull the information, possibly using interface solutions. Dialog box with input parameters.

image

1. The first parameter assumes that the logs are periodically exported to a specific directory, which should be set. If the journal is one, then the default directory to store logs: "C:\Windows\System32\winevt\Logs".

2. The second parameter specifies the server that will be searched in the logs. If the server one, then put a "*".

3. The third parameter is extremely intuitive: * — looking for events for the whole period, if you specify a date, for example, 30.11.2015, then looking for that date. Search for the company is performed by entering the start and end dates separated by a dash (01.11.2015-30.11.2015).

4. Specify the path to save the result, e.g. "D:\log.log". The following is the code used to build an interface for the script:

the 
$objForm = New-Object System.Windows.Forms.Form 
$objForm.Text = "Input data"
$objForm.Size = New-Object System.Drawing.Size(300,450) 
$objForm.StartPosition = "CenterScreen"

# Events path
$objLabel1 = New-Object System.Windows.Forms.Label
$objLabel1.Location = New-Object System.Drawing.Size(10,20) 
$objLabel1.Size = New-Object System.Drawing.Size(280,40) 
$objLabel1.Text = "Enter the full path to the logs in formate nD:/.../.../ :"
$objForm.Controls.Add($objLabel1) 

$objTextBox1 = New-Object System.Windows.Forms.TextBox 
$objTextBox1.Location = New-Object System.Drawing.Size(10,60) 
$objTextBox1.Size = New-Object System.Drawing.Size(280,20) 
$objForm.Controls.Add($objTextBox1) 

#Find Server mode

$objLabel2 = New-Object System.Windows.Forms.Label
$objLabel2.Location = New-Object System.Drawing.Size(10,90) 
$objLabel2.Size = New-Object System.Drawing.Size(280,30) 
$objLabel2.Text = "1. * - for all servers.`n2. Specify A Server."
$objForm.Controls.Add($objLabel2) 

$objTextBox2 = New-Object System.Windows.Forms.TextBox 
$objTextBox2.Location = New-Object System.Drawing.Size(10,120) 
$objTextBox2.Size = New-Object System.Drawing.Size(280,30) 
$objForm.Controls.Add($objTextBox2)

#Type Events Mode

$objLabel3 = New-Object System.Windows.Forms.Label
$objLabel3.Location = New-Object System.Drawing.Size(10,150) 
$objLabel3.Size = New-Object System.Drawing.Size(280,45) 
$objLabel3.Text = "1. * - all events.`n2. Specify the event.`n3. A comma-separated list of events"
$objForm.Controls.Add($objLabel3) 

$objTextBox3 = New-Object System.Windows.Forms.TextBox 
$objTextBox3.Location = New-Object System.Drawing.Size(10,195) 
$objTextBox3.Size = New-Object System.Drawing.Size(280,30) 
$objForm.Controls.Add($objTextBox3)

#Date Events mode

$objLabel4 = New-Object System.Windows.Forms.Label
$objLabel4.Location = New-Object System.Drawing.Size(10,225) 
$objLabel4.Size = New-Object System.Drawing.Size(280,60) 
$objLabel4.Text = "1. * - for the entire period.`n2. Enter the date in format DD.MM.YYYY.`n3. Specify the interval in the format DD.MM.YYYY-DD.MM.YYYY"
$objForm.Controls.Add($objLabel4) 

$objTextBox4 = New-Object System.Windows.Forms.TextBox 
$objTextBox4.Location = New-Object System.Drawing.Size(10,285) 
$objTextBox4.Size = New-Object System.Drawing.Size(280,30) 
$objForm.Controls.Add($objTextBox4)

#Save Result

$objLabel5 = New-Object System.Windows.Forms.Label
$objLabel5.Location = New-Object System.Drawing.Size(10,315) 
$objLabel5.Size = New-Object System.Drawing.Size(280,30) 
$objLabel5.Text = "save Path of the search result"
$objForm.Controls.Add($objLabel5) 

$objTextBox5 = New-Object System.Windows.Forms.TextBox 
$objTextBox5.Location = New-Object System.Drawing.Size(10,345) 
$objTextBox5.Size = New-Object System.Drawing.Size(280,30) 
$objForm.Controls.Add($objTextBox5)

# Buttons OK and Cancel. Obrabotki added only on the button OK. 

$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,380)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$objForm.Close()})
$objForm.Controls.Add($OKButton)
$OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,380)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click({$objForm.Close()})
$objForm.Controls.Add($CancelButton)

$objForm.Topmost = $True

$objForm.Add_Shown({$objForm.Activate()})
$dialogResult = $objForm.ShowDialog()
# Description of the interface is finished

Get the data entered:

the 
# Define incoming parameters
if ($dialogResult -eq "OK"){
$Log_Path = $objTextBox1.Text
$FindServerMode = $objTextBox2.Text
$TypeEventsMode = $objTextBox3.Text
$DateEventsmode = $objTextBox4.Text
$SaveResult = $objTextBox5.Text
}

If the date field has a " - " character, then entered the interval, if the symbol is incorrect — your problems. Are separated by " - " character, defined by a start and end date range.

the 
if ($DateEventsmode -match "-"){
$x = $DateEventsmode.split("-")
$StartDate = $x[0]
$EndDate = $x[1]
$StartDate = [DateTime]::parse($StartDate)
$StartDate 
$EndDate = [DateTime]::parse($EndDate)
$EndDate
}

If in the input field there is no " - " or "*", it means you entered a specific date.

the 
if ($DateEventsmode -notmatch "-" -and $DateEventsmode -ne "*"){
$StartDate1 = [DateTime]::parse($DateEventsmode)
}

1. Search on all servers, in all events, for the entire period:

the 
if ($FindServerMode -eq "*" -and $DateEventsmode -eq "*" -and $TypeEventsMode -eq "*" -and $Log_Path ne ""){
Write-host "entered 1"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -recurse| Where {$_.Extension-eq ".evtx"} | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$MyFilter = @{Path=($Log).FullName}
$i=0
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){

Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}

$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}
$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated) 
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
$i++ 
} 
}
}

2. Search all the servers for the event filter, for the entire period:

the 
if ($FindServerMode -eq "*" -and $DateEventsmode -eq "*" -and $TypeEventsMode -ne "*" -and $Log_Path ne ""){
Write-host "entered 2"
$ALL_LOGS = Get-ChildItem -Path $Log_Path | Where {$_.Extension-eq ".evtx"} | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$MyFilter = @{Path=($Log).FullName;ID=$TypeEventsMode}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

$LogFile+= "EventID:" + $Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n" 
}
}
}

3. Search for all servers on all events for the range:

the 
if ($FindServerMode -eq "*" -and $DateEventsmode -match "-" -and $TypeEventsMode -eq "*" -and $Log_Path ne ""){

$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" } | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)
$Event.TimeCreated
if ($Event.TimeCreated -gt $StartDate -and $Event.TimeCreated -lt $EndDate){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
}
}
}

4. Search for all servers on all the events for a specific date:

the 
if ($FindServerMode -eq "*" -and $DateEventsmode -notmatch "-" -and $DateEventsmode -ne "*" -and $TypeEventsMode -eq "*" -and $Log_Path ne ""){
Write-host "entered 5"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $StartDate1 -ne "null" } | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

if ($Event.TimeCreated.Day-eq $StartDate1.Day-and $Event.TimeCreated.Month-eq $StartDate1.Month -and $Event.TimeCreated.Year-eq $StartDate1.Year){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
}
}
}

5. Search for all servers to filter events for a certain period:

the 
if ($FindServerMode -eq "*" -and $DateEventsmode -match "-" -and $DateEventsmode -ne "*" -and $TypeEventsMode -ne "*" -and $Log_Path ne ""){
Write-host "entered 4"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $StartDate1 -ne ""} | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName;ID=$TypeEventsMode}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

if ($Event.TimeCreated.Day-eq $StartDate1.Day-and $Event.TimeCreated.Month-eq $StartDate1.Month -and $Event.TimeCreated.Year-eq $StartDate1.Year){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"

$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
} 
}
} 
}

6. Search on all servers, filter events for a specific date:

the 
if ($FindServerMode -eq "*" -and $TypeEventsMode -ne "*" -and $DateEventsmode -notmatch "-" -and $DateEventsmode -ne "*" -and $Log_Path ne "") {
Write-host "came in 6"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $StartDate1 -ne "" } | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName;ID=$TypeEventsMode}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

if ($Event.TimeCreated.Day-eq $StartDate1.Day-and $Event.TimeCreated.Month-eq $StartDate1.Month -and $Event.TimeCreated.Year-eq $StartDate1.Year){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
} 
} 
}

7. Search for a server search for all events for the entire period:

the 
if ($FindServerMode -ne "*" -and $DateEventsmode -eq "*" -and $TypeEventsMode -eq "*" -and $Log_Path ne ""){
Write-host "entered the 7"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $_.FullName -match $FindServerMode} | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$MyFilter = @{Path=($Log).FullName}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
} 
}

8. Search on a particular server, filter events, for the entire period:

the 
if ($FindServerMode -ne "*" -and $DateEventsmode -eq "*" -and $TypeEventsMode -ne "*" -and $Log_Path ne ""){
Write-host "became 8"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $_.FullName -match $FindServerMode} | Sort LastWriteTime

$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$MyFilter = @{Path=($Log).FullName;ID=$TypeEventsMode}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

$LogFile+= "EventID:" + $Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"

$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
} 
}
}

9. Search on a particular server, all events for the period:

the 
if ($FindServerMode -ne "*"-and $DateEventsmode -match "-" -and $TypeEventsMode -eq "*" -and $Log_Path ne ""){
Write-host "entered 9"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $_.FullName -match $FindServerMode -and $StartDate -ne "null" -and $EndDate -ne "null"} | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

if ($Event.TimeCreated -gt $StartDate -and $Event.TimeCreated -lt $EndDate){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
}
}
}

10. Search on a particular server, filter events, for period:

the 
if ($FindServerMode -ne "*" -and $DateEventsmode -match "-" -and $DateEventsmode -ne "*" -and $TypeEventsMode -ne "*" -and $Log_Path ne ""){
Write-host "top 10"
$ALL_LOGS = Get-ChildItem -Path $Log_Path | Where {$_.Extension-eq ".evtx" -and $_.FullName -match $FindServerMode -and $StartDate -ne "null" -and $EndDate -ne "null"} | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName;ID=$TypeEventsMode}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

if ($Event.TimeCreated -gt $StartDate -and $Event.TimeCreated -lt $EndDate){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
}
}
}

11. Search for a specific server, at all events for a specific date:

the 
if ($FindServerMode -ne "*" -and $DateEventsmode -notmatch "-" -and $DateEventsmode -ne "*" -and $TypeEventsMode -eq "*" -and $Log_Path ne ""){
Write-host "entered the 11"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $StartDate1 -ne "null" } | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.EventData.Data) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)

if ($Event.TimeCreated.Day-eq $StartDate1.Day-and $Event.TimeCreated.Month-eq $StartDate1.Month -and $Event.TimeCreated.Year-eq $StartDate1.Year){

$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
} 
}
}

12. Search for a specific server, filter events for a specific date:

the 
if ($FindServerMode -ne "*" -and $TypeEventsMode -ne "*" -and $DateEventsmode -notmatch "-" -and $DateEventsmode -ne "*" -and $Log_Path ne ""){
Write-host "included in 12"
$ALL_LOGS = Get-ChildItem -Path $Log_Path -Recurse| Where {$_.Extension-eq ".evtx" -and $StartDate1 -ne "null" } | Sort LastWriteTime
$ALL_LOGS
foreach ($Log in $ALL_LOGS){
$LogFile = "EventLog Audit Security" +"`n"
($Log).FullName
$Log.LastWriteTime
$StartDate
$EndDate
$MyFilter = @{Path=($Log).FullName;ID=$TypeEventsMode}
Try {$Events = Get-WinEvent -FilterHashTable $MyFilter} Catch {"No events were found in $Log"; Continue}
ForEach ($Raw_Event in $Events){ 
Try{$EventXML = [xml]$Raw_Event.ToXML()} Catch {Write-Host "Unable to convert an event to XML"}
$Event = @{}
ForEach ($object in $EventXML.Event.Message) {
$Event.Add($object.name,$object.'#text')
}

$Event.Add("ID",$Raw_Event.ID)
$Event.Add("TimeCreated",$Raw_Event.TimeCreated)
$Event
if ($Event.TimeCreated.Day-eq $StartDate1.Day-and $Event.TimeCreated.Month-eq $StartDate1.Month -and $Event.TimeCreated.Year-eq $StartDate1.Year){
$LogFile+= "EventID:" + $Raw_Event.ID +"`n"
$LogFile+= "Target User Name:" + $Event.TargetUserName +"`n"
$LogFile+= "Target Domain Name:" + $Event.TargetDomainName +"`n"
$LogFile+= "Status:" + $Event.Status +"`n"
$LogFile+= "TimeGenerated:" + $Event.TimeCreated +"`n"
$LogFile+= "Workstation Name:" + $Event.WorkstationName +"`n"
$LogFile+= "IpAddress:" + $Event.IpAddress +"`n"
$LogFile+= "Computer:" + [xml]$Raw_Event.ToXML().Event.System.Computer +"`n"
$Reason = DefineReason -Id $Raw_Event.ID
$AccessM = DefineReasonByAccessMask -AccessMask $Event.Status 
$LogFile+= "Reason ()" + $Reason + " "+ $AccessM +"`n"
$LogFile+= "Reason(SYS):" + $Event.Message +"`n"
$LogFile+= "----------------------------------------------------------------`n"
}
} 
}
}

At the end of the month (the period is set individually by administrators), the security log is archived on the storage server, specifying the server name and date archived.

After we described all the options to find events. The result, we need to save to a file whose path is prescribed by the user in the last field. If a path is specified, the result is stored in the file. After execution of the script file is automatically run. If the path to save the result is not specified, the log will be saved in the working directory under the name "log.log".

the 
if ($SaveResult -ne ""){
$LogFile | Out-File $SaveResult -Encoding utf8
Invoke-Item $SaveResult
$Event2= @{}
$Event = @{}
$Log_Path=""

}
else{
$LogFile | Out-File ".\log.log" -Encoding utf8
Write-Host $LogFile
$Event2= @{}
$Event = @{}
$Log_Path=""
}

Thank you for your attention.

During the writing of the script very useful was the article "PowerShell and security auditing", thanks to the author.
Article based on information from habrahabr.ru

Популярные сообщения из этого блога

Approval of WSUS updates: import, export, copy

Изображение
the Backstory Until recently, I worked as edikasyon a major Russian company that has many offices throughout the country. In my jurisdiction there were eleven sites, located in different cities of the Far East (this is important). In each of these offices had its own, not connected with other network infrastructure — your domain AD own subnet, etc. Once the leadership gave me the task to organize the automatic updating of the OS and programs from MS and allowed to expand on accountable sites WSUS . Problem After WSUS was deployed, binding policy, computers to WSUS groups are configured, the directory synchronization content server MS held, etc., the question arose: who and how will approve the update? Imagine 11 cities that are so "fast" and "stable", that rare moment when latency of ICMP replies are only 800 MS, are perceived as unheard of luck. And in each you test all updates before deploying. The access to the servers at the sites was only v...
Далее...

Kaspersky Security Center — the fight for automation

oddly enough, I found habré only one article on the subject — the sandbox much unfinished actually contains a piece of the slightly redesigned the product help. Yes, and Google query klakaut silent. I'm not going to tell you how to administer the hierarchy of Kaspersky Security Center (hereinafter KSC) from the command line — I do not yet need never. Just want to share some thoughts about automation tools to those who need it and disassemble one case with which I had to face. If you, %habrauser%, this topic will be interesting — welcome under kat. Historically, the anti-virus protection on the job, I prefer products of Kaspersky Lab (hereafter LK). Causes and other Holy war of personal opinions, I'll leave behind the scenes. Naturally, I would like to centrally deploy, protect, to protect and to enforce the law to draw beautiful graphics to integrate into existing monitoring systems and to do other work shifting the blame to a healthy server. And if you deplo...
Далее...

The Hilbert curve vs. Z-order

Изображение
Repeatedly heard the opinion that of all swept curves . it the Hilbert curve the most promising for spatial indexing. The explanation given is that it does not contain discontinuities and therefore in some sense “well-arranged”. Whether so it actually and what is the spatial indexing, we will understand under the cut. The concluding article of the series: the the Why doesn't the straightforward approach to spatial indexing swept curves the Presentation the 3D and obvious optimization the 8D and perspectives OLAP the 3D field as it looks the 3D field benchmarks the How about indexing non-point objects? The Hilbert curve has the remarkable property — the distance between two successive points is always equal to one (step current of detail, to be precise). Therefore, data is not much different Hilbert curve values are close to each other (the inverse, incidentally, is wrong — adjacent points may be very different in meaning). For this property it is us...
Далее...