opexxx

Get-ComputerDetails.ps1

Feb 23rd, 2014
316
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function Get-ComputerDetails
  2. {
  3. <#
  4. .SYNOPSIS
  5.  
  6. This script is used to get useful information from a computer.
  7.  
  8. Function: Get-ComputerDetails
  9. Author: Joe Bialek, Twitter: @JosephBialek
  10. Required Dependencies: None
  11. Optional Dependencies: None
  12. Version: 1.0
  13.  
  14. .DESCRIPTION
  15.  
  16. This script is used to get useful information from a computer. Currently, the script gets the following information:
  17. -Explicit Credential Logons (Event ID 4648)
  18. -Logon events (Event ID 4624)
  19. -AppLocker logs to find what processes are created
  20. -PowerShell logs to find PowerShell scripts which have been executed
  21. -RDP Client Saved Servers, which indicates what servers the user typically RDP's in to
  22.  
  23. .PARAMETER ToString
  24.  
  25. Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.
  26.    
  27. .EXAMPLE
  28.  
  29. Get-ComputerDetails
  30. Gets information about the computer and outputs it as PowerShell objects.
  31.  
  32. Get-ComputerDetails -ToString
  33. Gets information about the computer and outputs it as raw text.
  34.  
  35. .NOTES
  36. This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
  37. You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
  38.  
  39. .LINK
  40.  
  41. Blog: http://clymb3r.wordpress.com/
  42. Github repo: https://github.com/clymb3r/PowerShell
  43.  
  44. #>
  45.  
  46.     Param(
  47.         [Parameter(Position=0)]
  48.         [Switch]
  49.         $ToString
  50.     )
  51.  
  52.     Set-StrictMode -Version 2
  53.  
  54.     #Retrieve the 4648 logon event. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
  55.     #the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
  56.     #for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
  57.     function Find-ExplicitLogons
  58.     {
  59.         Param(
  60.             $SecurityLog
  61.         )
  62.  
  63.         $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648}
  64.         $ReturnInfo = @{}
  65.  
  66.         foreach ($ExplicitLogon in $ExplicitLogons)
  67.         {
  68.             $Subject = $false
  69.             $AccountWhosCredsUsed = $false
  70.             $TargetServer = $false
  71.             $SourceAccountName = ""
  72.             $SourceAccountDomain = ""
  73.             $TargetAccountName = ""
  74.             $TargetAccountDomain = ""
  75.             $TargetServer = ""
  76.             foreach ($line in $ExplicitLogon.Message -split "\r\n")
  77.             {
  78.                 if ($line -cmatch "^Subject:$")
  79.                 {
  80.                     $Subject = $true
  81.                 }
  82.                 elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$")
  83.                 {
  84.                     $Subject = $false
  85.                     $AccountWhosCredsUsed = $true
  86.                 }
  87.                 elseif ($line -cmatch "^Target\sServer:")
  88.                 {
  89.                     $AccountWhosCredsUsed = $false
  90.                     $TargetServer = $true
  91.                 }
  92.                 elseif ($Subject -eq $true)
  93.                 {
  94.                     if ($line -cmatch "\s+Account\sName:\s+(\S.*)")
  95.                     {
  96.                         $SourceAccountName = $Matches[1]
  97.                     }
  98.                     elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)")
  99.                     {
  100.                         $SourceAccountDomain = $Matches[1]
  101.                     }
  102.                 }
  103.                 elseif ($AccountWhosCredsUsed -eq $true)
  104.                 {
  105.                     if ($line -cmatch "\s+Account\sName:\s+(\S.*)")
  106.                     {
  107.                         $TargetAccountName = $Matches[1]
  108.                     }
  109.                     elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)")
  110.                     {
  111.                         $TargetAccountDomain = $Matches[1]
  112.                     }
  113.                 }
  114.                 elseif ($TargetServer -eq $true)
  115.                 {
  116.                     if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)")
  117.                     {
  118.                         $TargetServer = $Matches[1]
  119.                     }
  120.                 }
  121.             }
  122.  
  123.             #Filter out logins that don't matter
  124.             if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$"))
  125.             {
  126.                 $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer
  127.                 if (-not $ReturnInfo.ContainsKey($Key))
  128.                 {
  129.                     $Properties = @{
  130.                         LogType = 4648
  131.                         LogSource = "Security"
  132.                         SourceAccountName = $SourceAccountName
  133.                         SourceDomainName = $SourceAccountDomain
  134.                         TargetAccountName = $TargetAccountName
  135.                         TargetDomainName = $TargetAccountDomain
  136.                         TargetServer = $TargetServer
  137.                         Count = 1
  138.                         Times = @($ExplicitLogon.TimeGenerated)
  139.                     }
  140.  
  141.                     $ResultObj = New-Object PSObject -Property $Properties
  142.                     $ReturnInfo.Add($Key, $ResultObj)
  143.                 }
  144.                 else
  145.                 {
  146.                     $ReturnInfo[$Key].Count++
  147.                     $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated
  148.                 }
  149.             }
  150.         }
  151.  
  152.         return $ReturnInfo
  153.     }
  154.  
  155.     #Find all Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
  156.     # network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
  157.     # This is event 4624.
  158.     function Find-AllLogons
  159.     {
  160.         Param (
  161.             $SecurityLog
  162.         )
  163.  
  164.         $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624}
  165.         $ReturnInfo = @{}
  166.  
  167.         foreach ($Logon in $Logons)
  168.         {
  169.             $SubjectSection = $false
  170.             $NewLogonSection = $false
  171.             $NetworkInformationSection = $false
  172.             $AccountName = ""
  173.             $AccountDomain = ""
  174.             $LogonType = ""
  175.             $NewLogonAccountName = ""
  176.             $NewLogonAccountDomain = ""
  177.             $WorkstationName = ""
  178.             $SourceNetworkAddress = ""
  179.             $SourcePort = ""
  180.  
  181.             foreach ($line in $Logon.Message -Split "\r\n")
  182.             {
  183.                 if ($line -cmatch "^Subject:$")
  184.                 {
  185.                     $SubjectSection = $true
  186.                 }
  187.                 elseif ($line -cmatch "^Logon\sType:\s+(\S.*)")
  188.                 {
  189.                     $LogonType = $Matches[1]
  190.                 }
  191.                 elseif ($line -cmatch "^New\sLogon:$")
  192.                 {
  193.                     $SubjectSection = $false
  194.                     $NewLogonSection = $true
  195.                 }
  196.                 elseif ($line -cmatch "^Network\sInformation:$")
  197.                 {
  198.                     $NewLogonSection = $false
  199.                     $NetworkInformationSection = $true
  200.                 }
  201.                 elseif ($SubjectSection)
  202.                 {
  203.                     if ($line -cmatch "^\s+Account\sName:\s+(\S.*)")
  204.                     {
  205.                         $AccountName = $Matches[1]
  206.                     }
  207.                     elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)")
  208.                     {
  209.                         $AccountDomain = $Matches[1]
  210.                     }
  211.                 }
  212.                 elseif ($NewLogonSection)
  213.                 {
  214.                     if ($line -cmatch "^\s+Account\sName:\s+(\S.*)")
  215.                     {
  216.                         $NewLogonAccountName = $Matches[1]
  217.                     }
  218.                     elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)")
  219.                     {
  220.                         $NewLogonAccountDomain = $Matches[1]
  221.                     }
  222.                 }
  223.                 elseif ($NetworkInformationSection)
  224.                 {
  225.                     if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)")
  226.                     {
  227.                         $WorkstationName = $Matches[1]
  228.                     }
  229.                     elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)")
  230.                     {
  231.                         $SourceNetworkAddress = $Matches[1]
  232.                     }
  233.                     elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)")
  234.                     {
  235.                         $SourcePort = $Matches[1]
  236.                     }
  237.                 }
  238.             }
  239.  
  240.             #Filter out logins that don't matter
  241.             if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager"))
  242.             {
  243.                 $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
  244.                 if (-not $ReturnInfo.ContainsKey($Key))
  245.                 {
  246.                     $Properties = @{
  247.                         LogType = 4624
  248.                         LogSource = "Security"
  249.                         SourceAccountName = $AccountName
  250.                         SourceDomainName = $AccountDomain
  251.                         NewLogonAccountName = $NewLogonAccountName
  252.                         NewLogonAccountDomain = $NewLogonAccountDomain
  253.                         LogonType = $LogonType
  254.                         WorkstationName = $WorkstationName
  255.                         SourceNetworkAddress = $SourceNetworkAddress
  256.                         SourcePort = $SourcePort
  257.                         Count = 1
  258.                         Times = @($Logon.TimeGenerated)
  259.                     }
  260.  
  261.                     $ResultObj = New-Object PSObject -Property $Properties
  262.                     $ReturnInfo.Add($Key, $ResultObj)
  263.                 }
  264.                 else
  265.                 {
  266.                     $ReturnInfo[$Key].Count++
  267.                     $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
  268.                 }
  269.             }
  270.         }
  271.  
  272.         return $ReturnInfo
  273.     }
  274.  
  275.     #Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
  276.     function Find-AppLockerLogs
  277.     {
  278.         $ReturnInfo = @{}
  279.  
  280.         $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
  281.  
  282.         foreach ($Log in $AppLockerLogs)
  283.         {
  284.             $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value)
  285.             $UserName = $SID.Translate( [System.Security.Principal.NTAccount])
  286.  
  287.             $ExeName = $Log.Properties[10].Value
  288.  
  289.             $Key = $UserName.ToString() + "::::" + $ExeName
  290.  
  291.             if (!$ReturnInfo.ContainsKey($Key))
  292.             {
  293.                 $Properties = @{
  294.                     Exe = $ExeName
  295.                     User = $UserName.Value
  296.                     Count = 1
  297.                     Times = @($Log.TimeCreated)
  298.                 }
  299.  
  300.                 $Item = New-Object PSObject -Property $Properties
  301.                 $ReturnInfo.Add($Key, $Item)
  302.             }
  303.             else
  304.             {
  305.                 $ReturnInfo[$Key].Count++
  306.                 $ReturnInfo[$Key].Times += ,$Log.TimeCreated
  307.             }
  308.         }
  309.  
  310.         return $ReturnInfo
  311.     }
  312.  
  313.     #Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
  314.     #You can then backdoor these scripts or do other malicious things.
  315.     Function Find-PSScriptsInPSAppLog
  316.     {
  317.         $ReturnInfo = @{}
  318.         $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}
  319.  
  320.         foreach ($Log in $Logs)
  321.         {
  322.             $ContainsScriptName = $false
  323.             $LogDetails = $Log.Message -split "`r`n"
  324.  
  325.             $FoundScriptName = $false
  326.             foreach($Line in $LogDetails)
  327.             {
  328.                 if ($Line -imatch "^\s*Script\sName\s=\s(.+)")
  329.                 {
  330.                     $ScriptName = $Matches[1]
  331.                     $FoundScriptName = $true
  332.                 }
  333.                 elseif ($Line -imatch "^\s*User\s=\s(.*)")
  334.                 {
  335.                     $User = $Matches[1]
  336.                 }
  337.             }
  338.  
  339.             if ($FoundScriptName)
  340.             {
  341.                 $Key = $ScriptName + "::::" + $User
  342.  
  343.                 if (!$ReturnInfo.ContainsKey($Key))
  344.                 {
  345.                     $Properties = @{
  346.                         ScriptName = $ScriptName
  347.                         UserName = $User
  348.                         Count = 1
  349.                         Times = @($Log.TimeCreated)
  350.                     }
  351.  
  352.                     $Item = New-Object PSObject -Property $Properties
  353.                     $ReturnInfo.Add($Key, $Item)
  354.                 }
  355.                 else
  356.                 {
  357.                     $ReturnInfo[$Key].Count++
  358.                     $ReturnInfo[$Key].Times += ,$Log.TimeCreated
  359.                 }
  360.             }
  361.         }
  362.  
  363.         return $ReturnInfo
  364.     }
  365.  
  366.     #Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
  367.     #usually RDP's to.
  368.     Function Find-RDPClientConnections
  369.     {
  370.         $ReturnInfo = @{}
  371.  
  372.         New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null
  373.  
  374.         #Attempt to enumerate the servers for all users
  375.         $Users = Get-ChildItem -Path "HKU:\"
  376.         foreach ($User in $Users.PSChildName)
  377.         {
  378.             $Servers = Get-ChildItem "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue
  379.  
  380.             foreach ($Server in $Servers)
  381.             {
  382.                 $Server = $Server.PSChildName
  383.                 $UsernameHint = (Get-ItemProperty -Path "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
  384.                
  385.                 $Key = $User + "::::" + $Server + "::::" + $UsernameHint
  386.  
  387.                 if (!$ReturnInfo.ContainsKey($Key))
  388.                 {
  389.                     $Properties = @{
  390.                         CurrentUser = $User
  391.                         Server = $Server
  392.                         UsernameHint = $UsernameHint
  393.                     }
  394.  
  395.                     $Item = New-Object PSObject -Property $Properties
  396.                     $ReturnInfo.Add($Key, $Item)
  397.                 }
  398.             }
  399.         }
  400.  
  401.         return $ReturnInfo
  402.     }
  403.  
  404.  
  405.     $SecurityLog = Get-EventLog -LogName Security
  406.     $Filtered4624 = Find-AllLogons $SecurityLog
  407.     $Filtered4648 = Find-ExplicitLogons $SecurityLog
  408.     $AppLockerLogs = Find-AppLockerLogs
  409.     $PSLogs = Find-PSScriptsInPSAppLog
  410.     $RdpClientData = Find-RDPClientConnections
  411.  
  412.     if ($ToString)
  413.     {
  414.         Write-Output "Event ID 4624 (Logon):"
  415.         Write-Output $Filtered4624.Values | Format-List
  416.         Write-Output "Event ID 4648 (Explicit Credential Logon):"
  417.         Write-Output $Filtered4648.Values | Format-List
  418.         Write-Output "AppLocker Process Starts:"
  419.         Write-Output $AppLockerLogs.Values | Format-List
  420.         Write-Output "PowerShell Script Executions:"
  421.         Write-Output $PSLogs.Values | Format-List
  422.         Write-Output "RDP Client Data:"
  423.         Write-Output $RdpClientData.Values | Format-List
  424.     }
  425.     else
  426.     {
  427.         $Properties = @{
  428.             LogonEvent4624 = $Filtered4624.Values
  429.             LogonEvent4648 = $Filtered4648.Values
  430.             AppLockerProcessStart = $AppLockerLogs.Values
  431.             PowerShellScriptStart = $PSLogs.Values
  432.             RdpClientData = $RdpClientData.Values
  433.         }
  434.  
  435.         $ReturnObj = New-Object PSObject -Property $Properties
  436.         return $ReturnObj
  437.     }
  438. }
Add Comment
Please, Sign In to add comment