none
Powershell sctrip to get logon failures and successes from AD for specific 3rd party web app that uses our DC's to authenticate RRS feed

  • Question

  • Hi,

    I've been tasked to try to figure out a way to generate reports of "Who" is attempting to access our Critical Financial Infrastructure, both for successful and unsuccessful logon attempts. We use a 3rd party product called Lawson and the actual servers are not in our control, and are not located here. They do however use our AD infrastructure (our domain controllers) to authenticate.

    I've been doing a lot of research & learning lately about powershell parsing of the security logs with Get-Eventlog and Replacement Strings, etc. The problem I'm noticing is that the key fields I think I need are usually null. The most important piece of info I need is what service is requesting the token, the ad account, and the date, but the Account Name in the "Subject" portion of the event is almost always NULL. This is also according to this post here

    I've ran the auditpol.exe in powershell and I'm coming up with the following:

    Do I need to enable more stuff or is this even possible? Is Get-WinEvent any more robust in this respect?

    Advice appreciated

     


    • Edited by mmurphy58 Wednesday, February 19, 2020 11:27 PM
    Wednesday, February 19, 2020 11:24 PM

All replies

  • Get-Eventlog is for old servers that are no longer supported so use Get-WinEvent.

    What you are asking is too vague.  You need to learn what events you need.  We cannot guess at that for you.

    If you are doing security auditing I recommend that you purchase a comprehensive tool that will do this correctly.  Someone with no systems or PowerShell experience will not be able to do this safely and will effectively blind you to security issues.  I suggest starting by hiring a security consultant to work with you to assess your needs.  Do not try to do this with your level of engineering, programming and security skills.


    \_(ツ)_/

    Wednesday, February 19, 2020 11:34 PM
  • Okay, Thanks. I'm pretty sure we need event 4624 & 4625, but I'll do some more checking before I take a shot at Get-WinEvent. I know there are several event ID's that could possibly apply.
    Thursday, February 20, 2020 12:03 AM
  • Try something like this:

    $evts = Get-WinEvent -Path 'C:\path\to\securitylog.evtx' | where {($_.Id -eq 4624 -and $_.properties[8].value -eq 2) -or ($_.Id -eq 4634 -and $_.properties[4].value -eq 2) }
    foreach ($e in $evts)
    {
        # get the attributes
        $ds = $e.TimeCreated
        $tdn = $e.TaskDisplayName
        $mn = $e.MachineName
    
        # userid will vary depending on event type:
        if($e.Id -eq 4624) { $userid = $e.properties[5].value }
        if($e.Id -eq 4634) { $userid = $e.properties[1].value }
    
        write-host ("{0},{1},{2},{3}" -f [string]$ds,[string]$tdn,[string]$mn,[string]$userid)
    }

    However, for event id 4625 (an account failed to log on) you must enable audit account logon event.

    Apart from the native auditing, you can use third party active directory auditing tool which helps to alerts instantly by sending customized email notification for logon/logoff and failed logon attempts into real time.

    The event will generate when user logon or some applications which need Kerberos authentication.

    For more information, you could refer to the article below.

    Audit Kerberos Authentication Service: https://docs.microsoft.com/en-us/windows/device-security/auditing/audit-kerberos-authentication-service

    4625: An account failed to log on

    To block the authentication access from the unknown IP network segment, the best solution is to allow the special IP network segment communication though firewall or block the unknown IP network segment again and again by checking the event log. Get in detailed here: 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9a5ea3fc-96f5-492f-9acd-0f865c4ae6e5/event-4625-many-1000s-failed-login-attempts-each-night-can-i-autoblock-how-do-i-protect-my?forum=winserversecurity

    Also get help from this article to audit the successful or failed logon and logoff attempts in the network using the audit policies.

    4776: The domain controller attempted to validate the credentials for an account

    Most Event Id 4776 Error Code 0xc0000064 errors are due to damaged files in a Windows operating system.

    4648: A logon was attempted using explicit credentials

    Check the Services and see if anything is running with the credentials. 
    Also, check the scheduled tasks.

    Thursday, February 20, 2020 10:17 AM
  • That code will return every single record in the event log which will load the network and can cause resource issues. It is no the correct way to query the event log.  Please take time t6o search for correct methods before suggesting that others use your incorrect ideas.

    The issue here is not about returning those records.  Please read the question carefully before answering.   

    The query requires an XML filter to return correct records without parsing the whole event log.


    \_(ツ)_/

    Thursday, February 20, 2020 1:25 PM