forked from mardahl/PSBucket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
invoke-ScanForAdmin.ps1
70 lines (59 loc) · 2.14 KB
/
invoke-ScanForAdmin.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<#
.SYNOPSIS
Find hostnames of devices that are using a specific account for authentication
This script is designed to be run on each Domain Controller in order to snuff out the use of teh built-in Administrator account.
.INPUTS
None
.NOTES
Version : 1.0
Author : Michael Mardahl
Twitter : @michael_mardahl
Blogging on : www.msendpointmgr.com
Creation Date : 9th Feburary 2022
Purpose/Change: Initial script
License : MIT (Leave author credits)
.EXAMPLE
Execute script as system or administrator
.\invoke-ScanForAdmin.ps1
.NOTES
Some blanks might appear if there is no IP or DNS resolution.
#>
#region declarations
$username = "Administrator" #replace with the username you are scanning the security log for
$outputCSV = ".\results.csv" #path and filename to export csv to
#endregion declarations
#region execute
$events = Get-WinEvent -FilterHashtable @{logname='security';} | where-object { $_.Id -eq '4624' } | where-object { $_.Message -like "*$username*" }
#scanning eventlog results for IPadressess and counting results per IP.
$ipadresses = @{}
foreach ($event in $events) {
if ($event.message -like "*Source Network Address:*") {
$message = $event.message -split "`r`n"
foreach ($line in $message) {
if($line -like "*Source Network Address:*") {
$hostip = ""
$hostip = ($line -split ":")[1].TrimStart()
if($ipadresses[$hostip]) {
$ipadresses[$hostip] = $ipadresses[$hostip] + 1
break
}
Write-verbose $hostip -verbose
$ipadresses.add( $hostip, 1 )
break
}
}
}
}
#Building list of hostnames via DNS results and putting into an array of custom objects
$hosts = @()
foreach ($ip in $ipadresses.Keys) {
$hostname = $([string](Resolve-DnsName $ip -ErrorAction SilentlyContinue).NameHost)
$hosts += [PSCustomObject]@{
ip = $ip
hostname = "$hostname"
count = $ipadresses[$ip]
}
}
$hosts | Export-Csv $outputCSV -Force
$hosts
#endregion execute