-
Notifications
You must be signed in to change notification settings - Fork 0
/
4624 events.ps1
15 lines (14 loc) · 941 Bytes
/
4624 events.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Just tracking for Logon 4624 events DFIR by Ismail Kaleem @ Oxiqa
$secevent = 4625
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'} -MaxEvents 1000
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' }
}
# View remote desktop events excluding machine accounts.
$events | Where-Object { $_.LogonType -match '10' -and $_.TargetUserName -notmatch '.+\$$' } | Select TimeCreated, LogonProcessName, IpAddress, IpPort, WorkStationName, SubjectUserName, TargetUserName, LogonType, MachineName, ProcessName, KeywordsDisplayNames | Out-GridView