Separating out functions & bug fix

All info gathering pieces of this script can now be called individually. Fixed a bug where the user SID wasn't being converted to a username in the RDP function.
2014-03-02 21:18:28 -08:00 · 2014-03-02 21:18:28 -08:00 · 77bcb336e0
parent 308042f493
commit 77bcb336e0
1 changed files with 495 additions and 352 deletions
--- a/Recon/Get-ComputerDetails.ps1
+++ b/Recon/Get-ComputerDetails.ps1
@ -9,7 +9,7 @@ Function: Get-ComputerDetails
 Author: Joe Bialek, Twitter: @JosephBialek
 Required Dependencies: None
 Optional Dependencies: None
-Version: 1.0
+Version: 1.1

 .DESCRIPTION

@ -51,11 +51,77 @@ Github repo: https://github.com/clymb3r/PowerShell

    Set-StrictMode -Version 2

-    #Retrieve the 4648 logon event. This will often find cases where a user is using remote desktop to connect to another computer. It will give the 
-    #the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
-    #for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
-    function Find-ExplicitLogons
+
+
+    $SecurityLog = Get-EventLog -LogName Security
+    $Filtered4624 = Find-4624Logons $SecurityLog
+    $Filtered4648 = Find-4648Logons $SecurityLog
+    $AppLockerLogs = Find-AppLockerLogs
+    $PSLogs = Find-PSScriptsInPSAppLog
+    $RdpClientData = Find-RDPClientConnections
+
+    if ($ToString)
    {
+        Write-Output "Event ID 4624 (Logon):"
+        Write-Output $Filtered4624.Values | Format-List
+        Write-Output "Event ID 4648 (Explicit Credential Logon):"
+        Write-Output $Filtered4648.Values | Format-List
+        Write-Output "AppLocker Process Starts:"
+        Write-Output $AppLockerLogs.Values | Format-List
+        Write-Output "PowerShell Script Executions:"
+        Write-Output $PSLogs.Values | Format-List
+        Write-Output "RDP Client Data:"
+        Write-Output $RdpClientData.Values | Format-List
+    }
+    else
+    {
+        $Properties = @{
+            LogonEvent4624 = $Filtered4624.Values
+            LogonEvent4648 = $Filtered4648.Values
+            AppLockerProcessStart = $AppLockerLogs.Values
+            PowerShellScriptStart = $PSLogs.Values
+            RdpClientData = $RdpClientData.Values
+        }
+
+        $ReturnObj = New-Object PSObject -Property $Properties
+        return $ReturnObj
+    }
+}
+
+
+function Find-4648Logons
+{
+<#
+.SYNOPSIS
+
+Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the 
+the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
+for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
+
+Function: Find-4648Logons
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+Version: 1.1
+
+.DESCRIPTION
+
+Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the 
+the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
+for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
+
+.EXAMPLE
+
+Find-4648Logons
+Gets the unique 4648 logon events.
+
+.NOTES
+
+.LINK
+
+Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell
+#>
    Param(
        $SecurityLog
    )
@ -152,10 +218,37 @@ Github repo: https://github.com/clymb3r/PowerShell
    return $ReturnInfo
 }

-    #Find all Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
-    # network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
-    # This is event 4624.
-    function Find-AllLogons
+
+<#
+.SYNOPSIS
+
+Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
+network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
+
+Function: Find-4624Logons
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+Version: 1.1
+
+.DESCRIPTION
+
+Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
+network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
+
+.EXAMPLE
+
+Find-4624Logons
+Find unique 4624 logon events.
+
+.NOTES
+
+.LINK
+
+Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell
+#>
+function Find-4624Logons
 {
    Param (
        $SecurityLog
@ -272,9 +365,36 @@ Github repo: https://github.com/clymb3r/PowerShell
    return $ReturnInfo
 }

-    #Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
+
 function Find-AppLockerLogs
 {
+<#
+.SYNOPSIS
+
+Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
+
+Function: Find-AppLockerLogs
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+Version: 1.1
+
+.DESCRIPTION
+
+Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
+
+.EXAMPLE
+
+Find-AppLockerLogs
+Find process creations from AppLocker logs.
+
+.NOTES
+
+.LINK
+
+Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell
+#>
    $ReturnInfo = @{}

    $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
@ -310,10 +430,38 @@ Github repo: https://github.com/clymb3r/PowerShell
    return $ReturnInfo
 }

-    #Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
-    #You can then backdoor these scripts or do other malicious things.
+
 Function Find-PSScriptsInPSAppLog
 {
+<#
+.SYNOPSIS
+
+Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
+You can then backdoor these scripts or do other malicious things.
+
+Function: Find-AppLockerLogs
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+Version: 1.1
+
+.DESCRIPTION
+
+Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
+You can then backdoor these scripts or do other malicious things.
+
+.EXAMPLE
+
+Find-PSScriptsInPSAppLog
+Find unique PowerShell scripts being executed from the PowerShell operational log.
+
+.NOTES
+
+.LINK
+
+Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell
+#>
    $ReturnInfo = @{}
    $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}

@ -363,29 +511,60 @@ Github repo: https://github.com/clymb3r/PowerShell
    return $ReturnInfo
 }

-    #Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user 
-    #usually RDP's to.
+
 Function Find-RDPClientConnections
 {
+<#
+.SYNOPSIS
+
+Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user 
+usually RDP's to.
+
+Function: Find-RDPClientConnections
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+Version: 1.1
+
+.DESCRIPTION
+
+Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user 
+usually RDP's to.
+
+.EXAMPLE
+
+Find-RDPClientConnections
+Find unique saved RDP client connections.
+
+.NOTES
+
+.LINK
+
+Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell
+#>
    $ReturnInfo = @{}

    New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null

    #Attempt to enumerate the servers for all users
    $Users = Get-ChildItem -Path "HKU:\"
-        foreach ($User in $Users.PSChildName)
+    foreach ($UserSid in $Users.PSChildName)
    {
-            $Servers = Get-ChildItem "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue
+        $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue

        foreach ($Server in $Servers)
        {
            $Server = $Server.PSChildName
-                $UsernameHint = (Get-ItemProperty -Path "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
+            $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
                
-                $Key = $User + "::::" + $Server + "::::" + $UsernameHint
+            $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint

            if (!$ReturnInfo.ContainsKey($Key))
            {
+                $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid)
+                $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value
+
                $Properties = @{
                    CurrentUser = $User
                    Server = $Server
@ -400,39 +579,3 @@ Github repo: https://github.com/clymb3r/PowerShell

    return $ReturnInfo
 }
-
-
-    $SecurityLog = Get-EventLog -LogName Security
-    $Filtered4624 = Find-AllLogons $SecurityLog
-    $Filtered4648 = Find-ExplicitLogons $SecurityLog
-    $AppLockerLogs = Find-AppLockerLogs
-    $PSLogs = Find-PSScriptsInPSAppLog
-    $RdpClientData = Find-RDPClientConnections
-
-    if ($ToString)
-    {
-        Write-Output "Event ID 4624 (Logon):"
-        Write-Output $Filtered4624.Values | Format-List
-        Write-Output "Event ID 4648 (Explicit Credential Logon):"
-        Write-Output $Filtered4648.Values | Format-List
-        Write-Output "AppLocker Process Starts:"
-        Write-Output $AppLockerLogs.Values | Format-List
-        Write-Output "PowerShell Script Executions:"
-        Write-Output $PSLogs.Values | Format-List
-        Write-Output "RDP Client Data:"
-        Write-Output $RdpClientData.Values | Format-List
-    }
-    else
-    {
-        $Properties = @{
-            LogonEvent4624 = $Filtered4624.Values
-            LogonEvent4648 = $Filtered4648.Values
-            AppLockerProcessStart = $AppLockerLogs.Values
-            PowerShellScriptStart = $PSLogs.Values
-            RdpClientData = $RdpClientData.Values
-        }
-
-        $ReturnObj = New-Object PSObject -Property $Properties
-        return $ReturnObj
-    }
-}