EventID 4625: Tracking User Logon Failed Activity Using Logon Events

Saldırı altındaki makinelerin ve adli analiz amacıyla kullanıcıların makinelerde oturum açma deneme işlemleri analizi çok önemlidir.

Powershell script ile yerel makineler üzerinde oturum açma deneme aktivitelerini kolay anlaşılır tablo biçiminde alan scripti paylaşacağım.

4625_User_Logon_Failed_Analysis.ps1

# =========================================================== # NAME: 4625_User_Logon_Failed_Analysis.ps1 # AUTHOR: Bekir Yalçın # DATE: 29/12/2012 # COMMENT: Oturum açma denemesi olayları analizi - EventID: 4625 # VERSION: 1 # =========================================================== # Clear #Log dosya adı $LogFileName="4625_User_Logon_Failed_Reports_" + (Get-Date –f "yyyyMMdd_HHmmss_").tostring() + (hostname).tostring() + ".csv" write-host ((0..48)|%{if (($_+1)%3 -eq 0){[char][int]("119119119046115105098101114098111103046111114103064117101107097101046116117098105116097107046103111118046116114"[($_-2)..$_] -join "")}}) -separator "" -ForegroundColor Blue$Events=Get-Eventlog security -InstanceId 4625 -After (Get-Date).AddDays(-1) | # Son 1 gün #$Events=Get-Eventlog security -InstanceId 4625 -After (Get-Date).AddHours(-1) | # Son 1 saatSelect TimeGenerated,ReplacementStrings | % { New-Object PSObject -Property @{EventID = $_.EventID MachineName = $_.MachineName Data = $_.Data Index = $_.Index Category = $_.Category CategoryNumber = $_.CategoryNumber EntryType = $_.EntryType Message = $_.Message Source = $_.Source ReplacementStrings = $_.ReplacementStrings InstanceId = $_.InstanceId TimeGenerated = $_.TimeGenerated TimeWritten = $_.TimeWritten UserName = $_.UserName Site = $_.Site Container = $_.ContainerSubjectUserSid = $_.ReplacementStrings[0] SubjectUserName = $_.ReplacementStrings[1] SubjectDomainName = $_.ReplacementStrings[2] SubjectLogonId = $_.ReplacementStrings[3] TargetUserSid = $_.ReplacementStrings[4] TargetUserName = $_.ReplacementStrings[5] TargetDomainName = $_.ReplacementStrings[6] Status = $_.ReplacementStrings[7] FailureReason = $_.ReplacementStrings[8] SubStatus = $_.ReplacementStrings[9] LogonType = $_.ReplacementStrings[10] LogonProcessName = $_.ReplacementStrings[11] AuthenticationPackageName = $_.ReplacementStrings[12] Source_WorkstationName = $_.ReplacementStrings[13] TransmittedServices = $_.ReplacementStrings[14] LmPackageName = $_.ReplacementStrings[15] KeyLength = $_.ReplacementStrings[16] ProcessID = $_.ReplacementStrings[17] ProcessName = $_.ReplacementStrings[18] Source_IPAddress = $_.ReplacementStrings[19] Source_IpPort = $_.ReplacementStrings[20] } } Function CodeConvertName { param( $Status ) switch ($Status){ ("0xC0000064") {"KullaniciYok"} ("0xC000006A") {"KullaniciVarParolaYanlis"} ("0xC0000234") {"KullaniciKilitli"} ("0xC0000072") {"KullaniciPasif"} ("0xC000006F") {"ZamanKisitlamasi"} ("0xC0000070") {"IstemciKisitlama"} ("0xC0000193") {"HesapExpired"} ("0xC0000071") {"ParolaExpired"} ("0xC0000133") {"ParolaDegis"} ("0xC0000224") {"DCileZamanFarkiCok"} ("0xC0000225") {"ParolaDegistirDevamEt"} ("0xc000015b") {"BuMakinedeOturumAcamaz"} ("0xc000006d") {"KimlikPaketBozuk"} ("0xc0000133") {"OturumAcmaHatasi"} ("0xc0000192") {"NetlogonCalismiyor"} ("0xc000006e") {"0xc000006e"} default {"Unknown"} } }$Events | Where {$_.TargetUserName -notlike "*$"} | Sort-Object -Descending TimeGenerated | Format-Table TimeGenerated,Source_WorkstationName,Source_IPAddress, Source_IpPort,SubjectDomainName,SubjectUserName,TargetDomainName, TargetUserName,@{Label="LogonTypeName"; Expression={ switch ($_.LogonType){ (2) {"Interactive"} (3) {"Network"} (4) {"Batch"} (5) {"Service"} (7) {"Unlock"} (8) {"NetworkCleartext"} (9) {"RunAs"} (10) {"RemoteInteractive"} (11) {"CachedInteractive"} default {"Unknown"} } } },LogonType,@{Label="StatusName"; Expression={ CodeConvertName $_.Status }}, Status,@{Label="SubStatusName"; Expression={ CodeConvertName $_.SubStatus }}, SubStatus,SubjectUserSid,TargetUserSid,ProcessID,ProcessName, SubjectLogonId,LogonProcessName,LmPackageName,KeyLength,FailureReason, MachineName,Data,Index,Category,CategoryNumber,EntryType,Source,Username, Site,Contanier,TransmittedServices -AutoSize | Out-File -Width 1200 -Append -FilePath $LogFileName -Encoding UnicodeNotepad.exe $LogFileName

 

Script çalıştırıldığında 4625_User_Logon_Failed_Reports_20121231_220406_PCAdi.csv formatında bir rapor dosyası oluşmaktadır. Dosya sabit genişlikli formattadır ve script çalıştırıldığında Notepad.exe ile otomatik olarak rapor dosyası açılmaktadır (Düzgün bir görünüm için Notepad.exe uygulamasında Sözcük kaydır ayarını devre dışı bırakın). Bu dosyayı Microsoft Excel vb. uygulamalar ile açabilir ve sabit genişlikli olarak otomatik sütunlara dönüştürebilirsiniz. Ayrıca Kolonlara filtre ekleyerek istediğiniz gibi de inceleyebilirsiniz.



Csv Dosya İndir: 4625_User_Logon_Failed_Reports_20121231_234506_TestPC

 

Event Viewer görünümü ile kolonların eşleşmesi:



 

LogonTypeName:

Interactive (2): Interactive (logon at keyboard and screen of system)

Network (3): Network (i.e. connection to shared folder on this computer from elsewhere on network)

Batch (4): Batch (i.e. scheduled task)

Service (5): Service (Service startup)

Unlock (7): Unlock (i.e. unnattended workstation with password protected screen saver)

NetworkCleartext (8): NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”)

RunAs (9): NewCredentials such as with RunAs or mapping a network drive with alternate credentials.  This logon type does not seem to show up in any events.  If you want to track users attempting to logon with alternate credentials see 4648.

RemoteInteractive (10): RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)

CachedInteractive (11): CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

 



 

Download script: http://siberblog.org/wp-content/uploads/2012/12/4625_User_Logon_Failed_Analysis.rar

Download Csv Dosya: http://siberblog.org/wp-content/uploads/2012/12/4625_User_Logon_Failed_Reports_20121231_234506_TestPC.csv

Referans: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625