Get-ComputerDetails.ps1

1. function Get-ComputerDetails
2. {
3. <#
4. .SYNOPSIS
5.  
6. This script is used to get useful information from a computer.
7.  
8. Function: Get-ComputerDetails
9. Author: Joe Bialek, Twitter: @JosephBialek
10. Required Dependencies: None
11. Optional Dependencies: None
12. Version: 1.0
13.  
14. .DESCRIPTION
15.  
16. This script is used to get useful information from a computer. Currently, the script gets the following information:
17. -Explicit Credential Logons (Event ID 4648)
18. -Logon events (Event ID 4624)
19. -AppLocker logs to find what processes are created
20. -PowerShell logs to find PowerShell scripts which have been executed
21. -RDP Client Saved Servers, which indicates what servers the user typically RDP's in to
22.  
23. .PARAMETER ToString
24.  
25. Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.
26.    
27. .EXAMPLE
28.  
29. Get-ComputerDetails
30. Gets information about the computer and outputs it as PowerShell objects.
31.  
32. Get-ComputerDetails -ToString
33. Gets information about the computer and outputs it as raw text.
34.  
35. .NOTES
36. This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
37. You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
38.  
39. .LINK
40.  
41. Blog: http://clymb3r.wordpress.com/
42. Github repo: https://github.com/clymb3r/PowerShell
43.  
44. #>
45.  
46.     Param(
47.         [Parameter(Position=0)]
48.         [Switch]
49.         $ToString
50.     )
51.  
52.     Set-StrictMode -Version 2
53.  
54.     #Retrieve the 4648 logon event. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
55.     #the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
56.     #for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
57.     function Find-ExplicitLogons
58.     {
59.         Param(
60.             $SecurityLog
61.         )
62.  
63.         $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648}
64.         $ReturnInfo = @{}
65.  
66.         foreach ($ExplicitLogon in $ExplicitLogons)
67.         {
68.             $Subject = $false
69.             $AccountWhosCredsUsed = $false
70.             $TargetServer = $false
71.             $SourceAccountName = ""
72.             $SourceAccountDomain = ""
73.             $TargetAccountName = ""
74.             $TargetAccountDomain = ""
75.             $TargetServer = ""
76.             foreach ($line in $ExplicitLogon.Message -split "\r\n")
77.             {
78.                 if ($line -cmatch "^Subject:$")
79.                 {
80.                     $Subject = $true
81.                 }
82.                 elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$")
83.                 {
84.                     $Subject = $false
85.                     $AccountWhosCredsUsed = $true
86.                 }
87.                 elseif ($line -cmatch "^Target\sServer:")
88.                 {
89.                     $AccountWhosCredsUsed = $false
90.                     $TargetServer = $true
91.                 }
92.                 elseif ($Subject -eq $true)
93.                 {
94.                     if ($line -cmatch "\s+Account\sName:\s+(\S.*)")
95.                     {
96.                         $SourceAccountName = $Matches[1]
97.                     }
98.                     elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)")
99.                     {
100.                         $SourceAccountDomain = $Matches[1]
101.                     }
102.                 }
103.                 elseif ($AccountWhosCredsUsed -eq $true)
104.                 {
105.                     if ($line -cmatch "\s+Account\sName:\s+(\S.*)")
106.                     {
107.                         $TargetAccountName = $Matches[1]
108.                     }
109.                     elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)")
110.                     {
111.                         $TargetAccountDomain = $Matches[1]
112.                     }
113.                 }
114.                 elseif ($TargetServer -eq $true)
115.                 {
116.                     if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)")
117.                     {
118.                         $TargetServer = $Matches[1]
119.                     }
120.                 }
121.             }
122.  
123.             #Filter out logins that don't matter
124.             if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$"))
125.             {
126.                 $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer
127.                 if (-not $ReturnInfo.ContainsKey($Key))
128.                 {
129.                     $Properties = @{
130.                         LogType = 4648
131.                         LogSource = "Security"
132.                         SourceAccountName = $SourceAccountName
133.                         SourceDomainName = $SourceAccountDomain
134.                         TargetAccountName = $TargetAccountName
135.                         TargetDomainName = $TargetAccountDomain
136.                         TargetServer = $TargetServer
137.                         Count = 1
138.                         Times = @($ExplicitLogon.TimeGenerated)
139.                     }
140.  
141.                     $ResultObj = New-Object PSObject -Property $Properties
142.                     $ReturnInfo.Add($Key, $ResultObj)
143.                 }
144.                 else
145.                 {
146.                     $ReturnInfo[$Key].Count++
147.                     $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated
148.                 }
149.             }
150.         }
151.  
152.         return $ReturnInfo
153.     }
154.  
155.     #Find all Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
156.     # network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
157.     # This is event 4624.
158.     function Find-AllLogons
159.     {
160.         Param (
161.             $SecurityLog
162.         )
163.  
164.         $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624}
165.         $ReturnInfo = @{}
166.  
167.         foreach ($Logon in $Logons)
168.         {
169.             $SubjectSection = $false
170.             $NewLogonSection = $false
171.             $NetworkInformationSection = $false
172.             $AccountName = ""
173.             $AccountDomain = ""
174.             $LogonType = ""
175.             $NewLogonAccountName = ""
176.             $NewLogonAccountDomain = ""
177.             $WorkstationName = ""
178.             $SourceNetworkAddress = ""
179.             $SourcePort = ""
180.  
181.             foreach ($line in $Logon.Message -Split "\r\n")
182.             {
183.                 if ($line -cmatch "^Subject:$")
184.                 {
185.                     $SubjectSection = $true
186.                 }
187.                 elseif ($line -cmatch "^Logon\sType:\s+(\S.*)")
188.                 {
189.                     $LogonType = $Matches[1]
190.                 }
191.                 elseif ($line -cmatch "^New\sLogon:$")
192.                 {
193.                     $SubjectSection = $false
194.                     $NewLogonSection = $true
195.                 }
196.                 elseif ($line -cmatch "^Network\sInformation:$")
197.                 {
198.                     $NewLogonSection = $false
199.                     $NetworkInformationSection = $true
200.                 }
201.                 elseif ($SubjectSection)
202.                 {
203.                     if ($line -cmatch "^\s+Account\sName:\s+(\S.*)")
204.                     {
205.                         $AccountName = $Matches[1]
206.                     }
207.                     elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)")
208.                     {
209.                         $AccountDomain = $Matches[1]
210.                     }
211.                 }
212.                 elseif ($NewLogonSection)
213.                 {
214.                     if ($line -cmatch "^\s+Account\sName:\s+(\S.*)")
215.                     {
216.                         $NewLogonAccountName = $Matches[1]
217.                     }
218.                     elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)")
219.                     {
220.                         $NewLogonAccountDomain = $Matches[1]
221.                     }
222.                 }
223.                 elseif ($NetworkInformationSection)
224.                 {
225.                     if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)")
226.                     {
227.                         $WorkstationName = $Matches[1]
228.                     }
229.                     elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)")
230.                     {
231.                         $SourceNetworkAddress = $Matches[1]
232.                     }
233.                     elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)")
234.                     {
235.                         $SourcePort = $Matches[1]
236.                     }
237.                 }
238.             }
239.  
240.             #Filter out logins that don't matter
241.             if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager"))
242.             {
243.                 $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
244.                 if (-not $ReturnInfo.ContainsKey($Key))
245.                 {
246.                     $Properties = @{
247.                         LogType = 4624
248.                         LogSource = "Security"
249.                         SourceAccountName = $AccountName
250.                         SourceDomainName = $AccountDomain
251.                         NewLogonAccountName = $NewLogonAccountName
252.                         NewLogonAccountDomain = $NewLogonAccountDomain
253.                         LogonType = $LogonType
254.                         WorkstationName = $WorkstationName
255.                         SourceNetworkAddress = $SourceNetworkAddress
256.                         SourcePort = $SourcePort
257.                         Count = 1
258.                         Times = @($Logon.TimeGenerated)
259.                     }
260.  
261.                     $ResultObj = New-Object PSObject -Property $Properties
262.                     $ReturnInfo.Add($Key, $ResultObj)
263.                 }
264.                 else
265.                 {
266.                     $ReturnInfo[$Key].Count++
267.                     $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
268.                 }
269.             }
270.         }
271.  
272.         return $ReturnInfo
273.     }
274.  
275.     #Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
276.     function Find-AppLockerLogs
277.     {
278.         $ReturnInfo = @{}
279.  
280.         $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
281.  
282.         foreach ($Log in $AppLockerLogs)
283.         {
284.             $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value)
285.             $UserName = $SID.Translate( [System.Security.Principal.NTAccount])
286.  
287.             $ExeName = $Log.Properties[10].Value
288.  
289.             $Key = $UserName.ToString() + "::::" + $ExeName
290.  
291.             if (!$ReturnInfo.ContainsKey($Key))
292.             {
293.                 $Properties = @{
294.                     Exe = $ExeName
295.                     User = $UserName.Value
296.                     Count = 1
297.                     Times = @($Log.TimeCreated)
298.                 }
299.  
300.                 $Item = New-Object PSObject -Property $Properties
301.                 $ReturnInfo.Add($Key, $Item)
302.             }
303.             else
304.             {
305.                 $ReturnInfo[$Key].Count++
306.                 $ReturnInfo[$Key].Times += ,$Log.TimeCreated
307.             }
308.         }
309.  
310.         return $ReturnInfo
311.     }
312.  
313.     #Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
314.     #You can then backdoor these scripts or do other malicious things.
315.     Function Find-PSScriptsInPSAppLog
316.     {
317.         $ReturnInfo = @{}
318.         $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}
319.  
320.         foreach ($Log in $Logs)
321.         {
322.             $ContainsScriptName = $false
323.             $LogDetails = $Log.Message -split "`r`n"
324.  
325.             $FoundScriptName = $false
326.             foreach($Line in $LogDetails)
327.             {
328.                 if ($Line -imatch "^\s*Script\sName\s=\s(.+)")
329.                 {
330.                     $ScriptName = $Matches[1]
331.                     $FoundScriptName = $true
332.                 }
333.                 elseif ($Line -imatch "^\s*User\s=\s(.*)")
334.                 {
335.                     $User = $Matches[1]
336.                 }
337.             }
338.  
339.             if ($FoundScriptName)
340.             {
341.                 $Key = $ScriptName + "::::" + $User
342.  
343.                 if (!$ReturnInfo.ContainsKey($Key))
344.                 {
345.                     $Properties = @{
346.                         ScriptName = $ScriptName
347.                         UserName = $User
348.                         Count = 1
349.                         Times = @($Log.TimeCreated)
350.                     }
351.  
352.                     $Item = New-Object PSObject -Property $Properties
353.                     $ReturnInfo.Add($Key, $Item)
354.                 }
355.                 else
356.                 {
357.                     $ReturnInfo[$Key].Count++
358.                     $ReturnInfo[$Key].Times += ,$Log.TimeCreated
359.                 }
360.             }
361.         }
362.  
363.         return $ReturnInfo
364.     }
365.  
366.     #Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
367.     #usually RDP's to.
368.     Function Find-RDPClientConnections
369.     {
370.         $ReturnInfo = @{}
371.  
372.         New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null
373.  
374.         #Attempt to enumerate the servers for all users
375.         $Users = Get-ChildItem -Path "HKU:\"
376.         foreach ($User in $Users.PSChildName)
377.         {
378.             $Servers = Get-ChildItem "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue
379.  
380.             foreach ($Server in $Servers)
381.             {
382.                 $Server = $Server.PSChildName
383.                 $UsernameHint = (Get-ItemProperty -Path "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
384.                
385.                 $Key = $User + "::::" + $Server + "::::" + $UsernameHint
386.  
387.                 if (!$ReturnInfo.ContainsKey($Key))
388.                 {
389.                     $Properties = @{
390.                         CurrentUser = $User
391.                         Server = $Server
392.                         UsernameHint = $UsernameHint
393.                     }
394.  
395.                     $Item = New-Object PSObject -Property $Properties
396.                     $ReturnInfo.Add($Key, $Item)
397.                 }
398.             }
399.         }
400.  
401.         return $ReturnInfo
402.     }
403.  
404.  
405.     $SecurityLog = Get-EventLog -LogName Security
406.     $Filtered4624 = Find-AllLogons $SecurityLog
407.     $Filtered4648 = Find-ExplicitLogons $SecurityLog
408.     $AppLockerLogs = Find-AppLockerLogs
409.     $PSLogs = Find-PSScriptsInPSAppLog
410.     $RdpClientData = Find-RDPClientConnections
411.  
412.     if ($ToString)
413.     {
414.         Write-Output "Event ID 4624 (Logon):"
415.         Write-Output $Filtered4624.Values | Format-List
416.         Write-Output "Event ID 4648 (Explicit Credential Logon):"
417.         Write-Output $Filtered4648.Values | Format-List
418.         Write-Output "AppLocker Process Starts:"
419.         Write-Output $AppLockerLogs.Values | Format-List
420.         Write-Output "PowerShell Script Executions:"
421.         Write-Output $PSLogs.Values | Format-List
422.         Write-Output "RDP Client Data:"
423.         Write-Output $RdpClientData.Values | Format-List
424.     }
425.     else
426.     {
427.         $Properties = @{
428.             LogonEvent4624 = $Filtered4624.Values
429.             LogonEvent4648 = $Filtered4648.Values
430.             AppLockerProcessStart = $AppLockerLogs.Values
431.             PowerShellScriptStart = $PSLogs.Values
432.             RdpClientData = $RdpClientData.Values
433.         }
434.  
435.         $ReturnObj = New-Object PSObject -Property $Properties
436.         return $ReturnObj
437.     }
438. }