/// <summary>
/// WaitForEvent2 where "2" designates alternate event subscription paradigm of waiting for event
/// </summary>
/// <param name="eventId"></param>
/// <param name="source"></param>
/// <param name="entryType"></param>
/// <param name="timeOutSeconds"></param>
/// <param name="action"></param>
/// <param name="expectedEventCount"></param>
/// <returns></returns>
public static bool WaitForEvent2(int eventId, string eventMessage, string source, EventLogEntryType entryType,
int timeOutSeconds,
Action action, int expectedEventCount)
{
lock (_lock)
{
//really intended for single threaded tests - locking this region just in case
_found = false;
_signal = new AutoResetEvent(false);
_eventCount = expectedEventCount;
EventLogWatcher watcher = null;
//try
//{
int level = -1;
switch (entryType)
{
case EventLogEntryType.Information:
level = 4;
break;
case EventLogEntryType.Warning:
level = 3;
break;
case EventLogEntryType.Error:
level = 2;
break;
}
//The following if check is for use when you check for multiple events in subsequent, separate calls -e.g.
//WaitForEvent2(1000, ....); --> Here the event subscription will kick in looking for 1000...alll the while 2000 events may be logged
//WaitForEvent2(2000, ....); --> 2000 events already logged won't be caught
//cff: there is a theoretical threading issue if you do the above
int eventsExist = CheckEventCount(eventId, eventMessage, entryType);
_eventCount -= eventsExist;
if (_eventCount == 0)
{
_found = true;
}
else
{
//here's where the theoretical threading issue occurs ONLY if you are doing two subsequent WaitForEvent2's
//inbetween if the if statement above and the subscription below
EventLogQuery subscriptionQuery = new EventLogQuery(
"Application", PathType.LogName,
string.Format("*[System[Provider[@Name='{0}'] and (EventID={1}) and (Level={2})]]", source,
eventId,
level));
using (watcher = new EventLogWatcher(subscriptionQuery))
{
// Make the watcher listen to the EventRecordWritten
// events. When this event happens, the callback method
// (EventLogEventRead) is called.
watcher.EventRecordWritten +=
EventLogEventRead;
// Activate the subscription
watcher.Enabled = true;
action();
_signal.WaitOne(timeOutSeconds * 1000);
watcher.Enabled = false;
}
//if (_eventCount > 0)
//{
eventsExist = CheckEventCount(eventId, eventMessage, entryType);
if (eventsExist == expectedEventCount)
{
_found = true;
}
else
{
_found = false;
}
//}
}
}
return(_found);
}
static public void InsertEventLog()
{
if (Triger)
{
Console.WriteLine("Already On");
return;
}
else
{
Console.WriteLine("LogSearchStart");
Triger = true;
}
EvLogPara nevlp = new EvLogPara("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "");
EvLogPara oevlp = new EvLogPara("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "");
TC_2 = TC_1;
StringBuilder sb = new StringBuilder();
const string queryString = @"<QueryList>
<Query Id=""0"" Path=""Security"">
<Select Path=""Security"">*</Select>
</Query>
</QueryList>";
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
eventsQuery.ReverseDirection = true;
EventLogReader logReader = new EventLogReader(eventsQuery);
//string g_ConnectionStr = @"Data Source=192.168.10.230,7100;Initial Catalog=arcon;Integrated Security=False;User ID=arconsa;Password=arconsa@pass0;Connect Timeout=5;Encrypt=False;TrustServerCertificate=False";
string g_ConnectionStr = @"Data Source=127.0.0.1,1433;Initial Catalog=Eventlog;Integrated Security=False;User ID=eventsa;Password=eventsa@pass0;Connect Timeout=5;Encrypt=False;TrustServerCertificate=False";
SqlCommand sqlCmd = new SqlCommand();
SqlConnection sqlCon = new SqlConnection(g_ConnectionStr);
for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent())
{
foreach (var VARIABLE in eventInstance.Properties)
{
if (!VARIABLE.Value.ToString().Contains(g_FoldertoSearch))
{
continue;
}
if (!TF)
{
if (DateTime.Compare(TC_2, (DateTime)eventInstance.TimeCreated) != -1)
{
continue;
}
}
try
{
if ((eventInstance.TaskDisplayName.ToString() == LanguageFilter[0] || eventInstance.TaskDisplayName.ToString() == LanguageFilter[1] || eventInstance.TaskDisplayName.ToString() == LanguageFilter[2]))
{
if (eventInstance.Id.ToString() == "4656")//본인 PC
{
if (eventInstance.Properties[6].Value.ToString().Replace(g_FoldertoSearch, "").Length != 0)
{
nevlp.LoadTime = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.sss");
nevlp.EventID = eventInstance.Id.ToString();
nevlp.UserName = eventInstance.Properties[1].Value.ToString();
nevlp.DomainName = eventInstance.Properties[2].Value.ToString();
nevlp.LogonID = eventInstance.Properties[3].Value.ToString();
nevlp.Information = eventInstance.Properties[4].Value.ToString();
nevlp.Subject = eventInstance.Properties[5].Value.ToString();
nevlp.PC_IPAddress = "";
nevlp.PC_Port = "";
nevlp.ShareName = "";
nevlp.ShareLocalPath = eventInstance.Properties[6].Value.ToString();
nevlp.FileName = Path.GetFileName(eventInstance.Properties[6].Value.ToString());
nevlp.AccessMask = "";
nevlp.AccessList = DataReplace(eventInstance.Properties[9].Value.ToString());
nevlp.AccessReason = DataReplace(eventInstance.Properties[10].Value.ToString());
nevlp.EventTime = eventInstance.TimeCreated.Value.ToString("yyyy-MM-dd HH:mm:ss.sss");
Console.WriteLine("==============================================================");
Console.WriteLine("LoadTime " + nevlp.LoadTime);
Console.WriteLine("EventID : " + nevlp.EventID);
Console.WriteLine("UserName : "******"DomainName : " + nevlp.DomainName);
Console.WriteLine("LogonID : " + nevlp.LogonID);
Console.WriteLine("Information : " + nevlp.Information);
Console.WriteLine("Subject : " + nevlp.Subject);
Console.WriteLine("ShareLocalPath : " + nevlp.ShareLocalPath);
Console.WriteLine("FileName : " + nevlp.FileName);
Console.WriteLine("AccessList : \n" + nevlp.AccessList);
Console.WriteLine("AccessReason : \n" + nevlp.AccessReason);
Console.WriteLine("EventTime: " + nevlp.EventTime);
}
}
if (eventInstance.Id.ToString() == "5145")//공유 폴더
{
if (eventInstance.Properties[9].Value.ToString().Replace("\\", "").Length != 0 && eventInstance.TaskDisplayName.ToString() == LanguageFilter[1])
{
nevlp.LoadTime = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.sss");
nevlp.EventID = eventInstance.Id.ToString();
nevlp.UserName = eventInstance.Properties[1].Value.ToString();
nevlp.DomainName = eventInstance.Properties[2].Value.ToString();
nevlp.Subject = eventInstance.Properties[4].Value.ToString();
nevlp.LogonID = eventInstance.Properties[3].Value.ToString();
nevlp.PC_IPAddress = eventInstance.Properties[5].Value.ToString();
nevlp.PC_Port = eventInstance.Properties[6].Value.ToString();
nevlp.ShareName = eventInstance.Properties[7].Value.ToString();
nevlp.ShareLocalPath = eventInstance.Properties[8].Value.ToString();
nevlp.FileName = eventInstance.Properties[9].Value.ToString();
nevlp.AccessMask = eventInstance.Properties[10].Value.ToString();
nevlp.AccessList = DataReplace(eventInstance.Properties[11].Value.ToString());
nevlp.AccessReason = DataReplace(eventInstance.Properties[12].Value.ToString());
nevlp.EventTime = eventInstance.TimeCreated.Value.ToString("yyyy-MM-dd HH:mm:ss.sss");
nevlp.Information = "";
Console.WriteLine("==============================================================");
Console.WriteLine("LoadTime " + nevlp.LoadTime);
Console.WriteLine("EventID : " + nevlp.EventID);
Console.WriteLine("UserName : "******"DomainName : " + nevlp.DomainName);
Console.WriteLine("Subject : " + nevlp.Subject);
Console.WriteLine("LogonID : " + nevlp.LogonID);
Console.WriteLine("PC_IPAddress : " + nevlp.PC_IPAddress);
Console.WriteLine("PC_Port : " + nevlp.PC_Port);
Console.WriteLine("ShareName: " + nevlp.ShareName);
Console.WriteLine("ShareLocalPath : " + nevlp.ShareLocalPath);
Console.WriteLine("FileName: " + nevlp.FileName);
Console.WriteLine("AccessMask : " + nevlp.AccessMask);
Console.WriteLine("AccessList : \n" + nevlp.AccessList);
Console.WriteLine("AccessReason : \n" + nevlp.AccessReason);
Console.WriteLine("CreateTime : " + nevlp.EventTime);
}
}
}
if (nevlp.EventID != "" && hasing(oevlp, nevlp))
{
sqlCon.Open();
sqlCmd.Connection = sqlCon;
sqlCmd.CommandText = $"INSERT INTO Eventlog.dbo.EventLogView(LoadTime, EventID, UserName, DomainName, Subject, PC_IPAddress, PC_Port, ShareName, ShareLocalPath, FileName, AccessMask, AccessList, AccessReason, EventTime, LogonID, Information)" +
$" VALUES ('" + nevlp.LoadTime + "','" + nevlp.EventID + "','" + nevlp.UserName + "','" + nevlp.DomainName + "','" + nevlp.Subject + "','" + nevlp.PC_IPAddress + "','" + nevlp.PC_Port + "','" + nevlp.ShareName + "','" + nevlp.ShareLocalPath + "','" + nevlp.FileName + "','" + nevlp.AccessMask + "','" + nevlp.AccessList + "','" + nevlp.AccessReason + "','" + nevlp.EventTime + "','" + nevlp.LogonID + "','" + nevlp.Information + "')";
oevlp = nevlp;
sqlCmd.ExecuteNonQuery();
sqlCon.Close();
if (DateTime.Compare(TC_1, (DateTime)eventInstance.TimeCreated) == -1)
{
TC_1 = (DateTime)eventInstance.TimeCreated;
}
TF = false;
Console.WriteLine("insert Data");
}
}
catch (Exception e2)
{
sqlCon.Close();
Console.WriteLine(e2.Message);
}
}
}
Triger = false;
}
/// <summary>
/// Stop the agent
/// </summary>
protected override void OnStopAgent()
{
watcher.Enabled = false;
watcher = null;
query = null;
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// adapted from @djhohnstein's EventLogParser project
// https://github.com/djhohnstein/EventLogParser/blob/master/EventLogParser/EventLogHelpers.cs
// combined with scraping from https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands
WriteVerbose($"Searching script block logs (EID 4104) for sensitive data.\n");
var context = 3; // number of lines around the match to display
string[] powershellLogs = { "Microsoft-Windows-PowerShell/Operational", "Windows PowerShell" };
// Get our "sensitive" cmdline regexes from a common helper function.
var powershellRegex = MiscUtil.GetProcessCmdLineRegex();
foreach (var logName in powershellLogs)
{
var query = "*[System/EventId=4104]";
var eventLogQuery = new EventLogQuery(logName, PathType.LogName, query)
{
ReverseDirection = true
};
var logReader = new EventLogReader(eventLogQuery);
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
var scriptBlock = eventDetail.Properties[2].Value.ToString();
foreach (var reg in powershellRegex)
{
var m = reg.Match(scriptBlock);
if (!m.Success)
{
continue;
}
var contextLines = new List <string>();
var scriptBlockParts = scriptBlock.Split('\n');
for (var i = 0; i < scriptBlockParts.Length; i++)
{
if (!scriptBlockParts[i].Contains(m.Value))
{
continue;
}
var printed = 0;
for (var j = 1; i - j > 0 && printed < context; j++)
{
if (scriptBlockParts[i - j].Trim() == "")
{
continue;
}
contextLines.Add(scriptBlockParts[i - j].Trim());
printed++;
}
printed = 0;
contextLines.Add(m.Value.Trim());
for (var j = 1; printed < context && i + j < scriptBlockParts.Length; j++)
{
if (scriptBlockParts[i + j].Trim() == "")
{
continue;
}
contextLines.Add(scriptBlockParts[i + j].Trim());
printed++;
}
break;
}
var contextJoined = string.Join("\n", contextLines.ToArray());
yield return(new PowerShellEventsDTO(
eventDetail.TimeCreated,
eventDetail.Id,
$"{eventDetail.UserId}",
m.Value,
contextJoined
));
}
}
}
}
/// <summary>
/// Gets a List of int[N_BOOT_VALS] values representing the boot times.
/// <list type="bullet">
/// <item>0: BootStartTime</item>
/// <item>1: BootTime</item>
/// <item>2: MainPathBootTime</item>
/// <item>3: BootPostBootTime</item>
/// </list>
/// </summary>
/// <returns>The List.</returns>
public static List <String[]> getBootTimes()
{
//String queryString = "*[System/Level=2]"; // XPATH Query
String queryString = "*"; // XPATH Query
String logName = "Microsoft-Windows-Diagnostics-Performance/Operational";
PathType pathType = PathType.LogName;
List <String[]> list = new List <String[]>();
EventLogQuery eventsQuery = new EventLogQuery(logName, pathType, queryString);
int nItems = 0;
try {
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventInstance = logReader.ReadEvent();
eventInstance != null; eventInstance = logReader.ReadEvent())
{
if (eventInstance.Id != 100)
{
continue;
}
String[] vals = new String[N_BOOT_VALS];
list.Add(vals);
String xml = eventInstance.ToXml();
XmlDocument doc = new XmlDocument();
doc.LoadXml(xml);
// Assign a prefix to allow accessing the namespace. Select without a namespace
// gives only items not in a namespace. All of ours are in the
// http://schemas.microsoft.com/win/2004/08/events/event namespace. Thus,
// we need to specify the namespace.
XmlNamespaceManager namespaceManager = new XmlNamespaceManager(doc.NameTable);
namespaceManager.AddNamespace("ms",
"http://schemas.microsoft.com/win/2004/08/events/event");
XPathNavigator nav = doc.CreateNavigator();
XPathNodeIterator iter;
int count;
for (int i = 0; i < N_BOOT_VALS; i++)
{
iter =
nav.Select("/ms:Event/ms:EventData/ms:Data[@Name='" + BOOT_DATA_NAMES[i] + "']",
namespaceManager);
count = iter.Count;
if (count == 0)
{
vals[i] = "NA";
}
else
{
iter.MoveNext();
vals[i] = iter.Current.Value;
}
}
nItems++;
}
} catch (EventLogNotFoundException ex) {
Console.WriteLine(excMsgLocal("Could not find the " + logName + "log", ex));
return(null);
} catch (Exception ex) {
Console.WriteLine(excMsgLocal("Error in getBootTimes", ex));
return(null);
}
return(list);
}
public static void Main(string[] args)
{
int exitCode = 0;
String path = "";
String query = "*";
bool reverseDirection = false;
UInt32 count = UInt32.MaxValue;
String format = "xml";
PathType pathType = PathType.LogName;
try
{
//
// Parse the command line.
//
if (args.Length == 0)
{
Console.WriteLine("Error: No parameters provided.");
PrintUsage();
Environment.Exit(1);
}
if (args[0] == "/?" || args[0] == "-?")
{
PrintUsage();
Environment.Exit(1);
}
path = args[0];
char[] delimiters = { ':' };
for (int i = 1; i < args.Length; i++)
{
String option = args[i].Substring(1);
String[] words = option.Split(delimiters, 2);
words[0] = words[0].ToLower(CultureInfo.InvariantCulture);
switch (words[0])
{
case "logfile":
case "lf":
pathType = PathType.FilePath;
break;
case "query":
case "q":
query = words[1];
break;
case "reversedirection":
case "rd":
reverseDirection = true;
break;
case "count":
case "c":
count = Convert.ToUInt32(words[1], CultureInfo.InvariantCulture);
break;
case "format":
case "f":
format = words[1].ToLower(CultureInfo.InvariantCulture);
if (format != "text" && format != "xml")
{
throw (new Exception(String.Format(CultureInfo.InvariantCulture, "Unrecognized format option: {0}.", format)));
}
break;
default:
throw (new Exception(String.Format(CultureInfo.InvariantCulture, "Unrecognized parameter option: {0}.", words[0])));
}
}
//
// Query the event log.
//
EventLogQuery queryObj = new EventLogQuery(path, pathType, query);
queryObj.ReverseDirection = reverseDirection;
queryObj.TolerateQueryErrors = true; // Continue to read events even if an error occurs.
EventLogReader reader = new EventLogReader(queryObj);
TimeSpan timeout = new TimeSpan(0, 0, 5);
EventRecord eventRecord = null;
UInt32 eventsRead = 0;
while (((eventRecord = reader.ReadEvent(timeout)) != null) && (eventsRead++ < count))
{
if (format == "xml")
{
Console.WriteLine("\n" + eventRecord.ToXml());
}
else if (format == "text")
{
Console.WriteLine("Source:\t\t" + eventRecord.ProviderName);
Console.WriteLine("Description:\t" + eventRecord.FormatDescription() + "\n");
}
}
}
catch (UnauthorizedAccessException e)
{
Console.WriteLine("You do not have the correct permissions. " +
"Try re-running the sample with administrator privileges.\n" + e.ToString());
exitCode = 1;
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
exitCode = 1;
}
Environment.Exit(exitCode);
}
public void CollectWinRMEvents()
{
//Check if log path is created
if (!(Directory.Exists(RemoteNotifyLogsPath)))
{
Directory.CreateDirectory(RemoteNotifyLogsPath);
}
//Check if log is created
if (!(File.Exists(RemoteNotifyLogsPath + "\\" + LogName)))
{
//create CSV File and add Header column names
using (StreamWriter writer = File.CreateText(RemoteNotifyLogsPath + "\\" + LogName))
{
writer.WriteLine("TimeGenerated,TimeLogged,TimeCollectedByRemoteNotify,InstanceID,MachineName,Message,SourceApplication,UserResponsible,State,OwningPID,OwningProcessName,ConnectionGuid");
}
}
while (true)
{
try
{
//Have it run every second
Thread.Sleep(1000);
//Check if windows log exists
if (File.Exists(WindowsLogDirectory + "\\" + "Microsoft-Windows-WinRM%4Operational.evtx"))
{
String LastRecordedEventTime = LastLogCollectedTime();
EventLogQuery WinRMEventLogQuery;
if (LastRecordedEventTime == "")
{
WinRMEventLogQuery = new EventLogQuery(WindowsLogDirectory + "\\" + "Microsoft-Windows-WinRM%4Operational.evtx", PathType.FilePath);
bool test = File.Exists(WindowsLogDirectory + "\\" + "Microsoft-Windows-WinRM%4Operational.evtx");
}
else
{
// Only return events since last recorded event
String QueryString = "*[System[TimeCreated[@SystemTime >= \'" + LastRecordedEventTime + "\']]]";
WinRMEventLogQuery = new EventLogQuery(WindowsLogDirectory + "\\" + "Microsoft-Windows-WinRM%4Operational.evtx", PathType.FilePath, QueryString);
bool test = File.Exists(WindowsLogDirectory + "\\" + "Microsoft-Windows-WinRM%4Operational.evtx");
}
EventLogReader logReader;
try
{
// Query the log and create a stream of selected events
logReader = new EventLogReader(WinRMEventLogQuery);
}
catch (EventLogNotFoundException)
{
return; //Failed to query the WinRM log!
}
for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())
{
String eventXml = eventInstance.ToXml();
Console.WriteLine(eventXml);
using (StreamWriter writer = new StreamWriter(RemoteNotifyLogsPath + "\\" + LogName, true))
{
writer.WriteLine(eventXml);
}
}
//Write to log if originating by Winrm
//using (StreamWriter writer = new StreamWriter(RemoteNotifyLogsPath + "\\" + LogName, true))
//{
// writer.WriteLine(LogEntry.TimeGenerated.ToString() + "," +
// DateTime.Now.ToString() + "," +
// LogEntry.TimeWritten.ToString() + "," +
// LogEntry.InstanceId.ToString() + "," +
// LogEntry.MachineName.ToString() + "," +
// LogEntry.Message.ToString() + "," +
// LogEntry.Source.ToString() + "," +
// LogEntry.UserName.ToString() + "," +
// + "," +
// Process.GetProcessById(checked((int)Connection.Connection.owningPid)).ProcessName + "," +
// Connection.ConnectionGuid.ToString()
// );
//}
}
}
catch (ThreadInterruptedException)
{
return;
}
}
}
static void Main(string[] args)
{
String logName = "Application";
String queryString = "*[System/Level=2]";
UdpClient _udpClient;
String host = "192.168.1.28";
UTF8Encoding _encoding = new UTF8Encoding();
EventLogQuery eventsQuery = new EventLogQuery(logName,
PathType.LogName, queryString);
EventLogReader logReader;
Console.WriteLine("Querying the Application channel event log for all events...");
try
{
// Query the log
logReader = new EventLogReader(eventsQuery);
}
catch (EventLogNotFoundException e)
{
Console.WriteLine("Failed to query the log!");
Console.WriteLine(e);
return;
}
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[4];
xPathRefs[0] = "Event/System/Security/@UserID";
xPathRefs[1] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[2] = "Event/System/EventID";
xPathRefs[3] = "Event/System/EventRecordID";
// Place those strings in an IEnumberable object
IEnumerable <String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
_udpClient = new UdpClient();
_udpClient.Connect(host, 5140);
int numberOfEvents = 0;
// For each event returned from the query
for (EventRecord eventInstance = logReader.ReadEvent();
eventInstance != null;
eventInstance = logReader.ReadEvent())
{
IList <object> logEventProps;
try
{
// Cast the EventRecord into an EventLogRecord to retrieve property values.
// This will fetch the event properties we requested through the
// context created by the EventLogPropertySelector
logEventProps = ((EventLogRecord)eventInstance).GetPropertyValues(logPropertyContext);
Console.WriteLine("Event {0} :", ++numberOfEvents);
Console.WriteLine("User: {0}", logEventProps[0]);
Console.WriteLine("TimeCreated: {0}", logEventProps[1]);
Console.WriteLine("EventID: {0}", logEventProps[2]);
Console.WriteLine("EventRecordID : {0}", logEventProps[3]);
// Event properties can also be retrived through the event instance
Console.WriteLine("Event Description:" + eventInstance.FormatDescription());
Console.WriteLine("MachineName: " + eventInstance.MachineName);
Console.WriteLine("=================== START ====================");
Console.WriteLine(eventInstance.ToXml());
Console.WriteLine("==============================================");
String xmlString = eventInstance.ToXml();
byte[] data = _encoding.GetBytes(xmlString);
_udpClient.Send(data, data.Length);
}
catch (Exception e)
{
Console.WriteLine("Couldn't render event!");
Console.WriteLine("Exception: Event {0} may not have an XML representation \n\n", ++numberOfEvents);
Console.WriteLine(e);
}
}
}
// Token: 0x060000DE RID: 222 RVA: 0x000051E8 File Offset: 0x000033E8
public CrimsonChannelReader(EventLogQuery query, EventLogReaderAdapter adapter = null)
{
this.Query = query;
this.reader = (adapter ?? new EventLogReaderAdapter(this.Query));
}
public static List <RemoteLogonHistory> GetLogonHistory()
{
var logonHistory = new List <RemoteLogonHistory>();
Result = new TaskResult();
const int logonEventId = 4624;
const int logoffEventIdA = 4634;
const int logoffEventIdB = 4647;
const int landeskRemoteControlEventId = 2;
string queryString =
"<QueryList><Query Id='1'>" +
"<Select Path='Security'>" +
"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and " +
"(EventID=" + logonEventId + ")]] and " +
"*[EventData[Data[@Name='LogonType'] and (Data='2' or Data='10')]] and " +
"*[EventData[Data[@Name='LogonGuid'] != '{00000000-0000-0000-0000-000000000000}']] and " +
"*[EventData[Data[@Name='LogonProcessName'] != 'seclogo']]" +
"</Select>" +
"<Select Path='Security'>" +
"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and " +
"(EventID=" + logonEventId + ")]] and " +
"*[EventData[Data[@Name='LogonType'] and (Data='2' or Data='10')]] and " +
"*[EventData[Data[@Name='TargetDomainName'] = '" + RemoteLogonSession.ComputerName.ToUpper().Trim() + "']]" +
"</Select>" +
"<Select Path='Security'>" +
//"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and " +
//"(EventID=" + logoffEventIdA + ")]] and " +
//"*[EventData[Data[@Name='LogonType'] and (Data='2' or Data='10')]] or " +
"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and " +
"(EventID=" + logoffEventIdB + ")]]" +
"</Select>" +
"<Select Path='Application'>" +
"*[System[Provider[@Name='LANDESK Remote Control Service'] and (EventID=" + landeskRemoteControlEventId + ")]]" +
"</Select>" +
"</Query></QueryList>";
try
{
var eventLogSession = new EventLogSession(RemoteLogonSession.ComputerName);
var eventLogQuery = new EventLogQuery("Security", PathType.LogName, queryString);
eventLogQuery.ReverseDirection = true;
eventLogQuery.Session = eventLogSession;
using (
GlobalVar.UseAlternateCredentials
? UserImpersonation.Impersonate(GlobalVar.AlternateUsername, GlobalVar.AlternateDomain, GlobalVar.AlternatePassword)
: null)
using (var eventLogReader = new EventLogReader(eventLogQuery))
{
for (EventRecord eventLogRecord = eventLogReader.ReadEvent(); null != eventLogRecord; eventLogRecord = eventLogReader.ReadEvent())
{
string regexString;
switch (eventLogRecord.Id)
{
case (logonEventId):
regexString = @"An account was successfully logged on.*Logon Type:\s+(?<logonType>.*?)\r" +
@".*\tAccount Name:\s+(?<accountName>.*?)\r" +
@".*\tAccount Domain:\s+(?<accountDomain>.*?)\r" +
@".*Network Information:.*Source Network Address:\s+(?<sourceIpAddress>.*?)\r";
break;
case (landeskRemoteControlEventId):
regexString = @"^Remote control action: (?<controlAction>\w+?) Remote Control Initiated from (?<sourceHostname>.*?) by user " +
@"(?<accountName>.*?), Security Type";
break;
case (logoffEventIdA):
regexString = @"An account was logged off" +
@".*Subject:.*Account Name:\s+(?<accountName>.*?)\r" +
@".*Account Domain:\s+(?<accountDomain>.*?)\r" +
@".*Logon Type:\s+(?<logonType>.*?)\r";
break;
case (logoffEventIdB):
regexString = @"User initiated logoff" +
@".*Subject:.*Account Name:\s+(?<accountName>.*?)\r" +
@".*Account Domain:\s+(?<accountDomain>.*?)\r";
break;
default:
regexString = string.Empty;
break;
}
var match = Regex.Match(eventLogRecord.FormatDescription(), regexString, RegexOptions.Singleline);
if (match.Success)
{
switch (eventLogRecord.Id)
{
case (logonEventId):
logonHistory.Add(new RemoteLogonHistory
{
LogonTime = eventLogRecord.TimeCreated.Value,
LogonDomain = match.Groups["accountDomain"].Value,
LogonName = match.Groups["accountName"].Value,
LogonType = match.Groups["logonType"].Value,
IpAddress = match.Groups["sourceIpAddress"].Value
});
break;
case (landeskRemoteControlEventId):
logonHistory.Add(new RemoteLogonHistory
{
LogonTime = eventLogRecord.TimeCreated.Value,
LogonName = match.Groups["accountName"].Value,
LogonDomain = string.Empty,
LogonType = "LANDesk",
LogonAction = match.Groups["controlAction"].Value,
IpAddress = match.Groups["sourceHostname"].Value
});
break;
case (logoffEventIdA):
logonHistory.Add(new RemoteLogonHistory
{
LogonTime = eventLogRecord.TimeCreated.Value,
LogonDomain = match.Groups["accountDomain"].Value,
LogonName = match.Groups["accountName"].Value,
LogonType = "Logoff"
});
break;
case (logoffEventIdB):
logonHistory.Add(new RemoteLogonHistory
{
LogonTime = eventLogRecord.TimeCreated.Value,
LogonDomain = match.Groups["accountDomain"].Value,
LogonName = match.Groups["accountName"].Value,
LogonType = "Logoff"
});
break;
}
}
}
Result.DidTaskSucceed = true;
}
}
catch (UnauthorizedAccessException)
{
Result.DidTaskSucceed = false;
Result.MessageBody = "This feature is currently only supported on Windows Vista and Server 2008 or higher.";
}
catch
{
Result.DidTaskSucceed = false;
}
return(logonHistory);
}
private void InitWatcher()
{
Thread.CurrentThread.CurrentCulture = new CultureInfo("en-US"); // need to fix MS bug
if (string.IsNullOrWhiteSpace(EventDescription.Keywords))
{
if (_rxFilter != null)
{
_rxFilter = null;
}
}
else
{
_rxFilter = new Regex(EventDescription.Keywords);
}
// create X-Path query
// for example:
// *[System[Provider[@Name='.NET Runtime' or @Name='.NET Runtime Optimization Service'
// or @Name='Microsoft-Windows-Dhcp-Client'] and
// (Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and
// (EventID=1 or EventID=2 or (EventID >= 4 and EventID <= 7) )]]
StringBuilder xq = new StringBuilder();
xq.Append("*");
StringBuilder paths = new StringBuilder();
if (string.IsNullOrWhiteSpace(EventDescription.LogSources) == false && EventDescription.LogSources.StartsWith("Please") == false)
{
// add paths
string[] ps = EventDescription.LogSources.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
ps.ToList().ForEach(x => { if (paths.Length > 0)
{
paths.Append(" or ");
}
paths.Append("@Name='" + x.Trim() + "'"); });
}
StringBuilder ls = new StringBuilder();
if (EventDescription.IsCritical || EventDescription.IsError || EventDescription.IsInformation || EventDescription.IsVerbose || EventDescription.IsWarning)
{
// add levels
if (EventDescription.IsCritical)
{
ls.Append("Level=" + ((int)StandardEventLevel.Critical).ToString());
}
if (EventDescription.IsError)
{
if (ls.Length > 0)
{
ls.Append(" or ");
}
ls.Append("Level=" + ((int)StandardEventLevel.Error).ToString());
}
if (EventDescription.IsInformation)
{
if (ls.Length > 0)
{
ls.Append(" or ");
}
ls.Append("Level=" + ((int)StandardEventLevel.Informational).ToString() + " or Level=" + ((int)StandardEventLevel.LogAlways).ToString());
}
if (EventDescription.IsVerbose)
{
if (ls.Length > 0)
{
ls.Append(" or ");
}
ls.Append("Level=" + ((int)StandardEventLevel.Verbose).ToString());
}
if (EventDescription.IsWarning)
{
if (ls.Length > 0)
{
ls.Append(" or ");
}
ls.Append("Level=" + ((int)StandardEventLevel.Warning).ToString());
}
}
StringBuilder iid = new StringBuilder();
// append Event IDs (without exclude expression)
if (string.IsNullOrWhiteSpace(EventDescription.EventIds) == false)
{
// supressed IDs
supressedIDs = EventDescription.EventIds.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(x => x.Trim()).Where(x => x.StartsWith("-") == true).Select(x => x.Substring(1)).Cast <int>().ToArray();
List <string> iids = EventDescription.EventIds.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(x => x.Trim()).Where(x => x.StartsWith("-") == false).ToList();
if (iids.Where(x => x.Contains("-") == false).Count() > 0)
{
iids.Where(x => x.Contains("-") == false).ToList().ForEach(x => { if (iid.Length > 0)
{
iid.Append(" or ");
}
iid.Append("EventID = " + x); });
}
if (iids.Where(x => x.Contains("-") == true).Count() > 0)
{
iids.Where(x => x.Contains("-") == true).ToList().ForEach(x =>
{
if (iid.Length > 0)
{
iid.Append(" or ");
}
string[] xx = x.Split(new char[] { '-' });
iid.Append("(EventID >= " + xx[0] + " and EventID <= " + xx[1] + ")");
});
}
}
if (paths.Length > 0 || ls.Length > 0 || iid.Length > 0)
{
xq.Append("[System[");
if (paths.Length > 0)
{
xq.Append("Provider[");
xq.Append(paths.ToString());
xq.Append("]");
}
if (ls.Length > 0)
{
if (paths.Length > 0)
{
xq.Append(" and ");
}
xq.Append("(" + ls.ToString() + ")");
}
if (iid.Length > 0)
{
if (paths.Length > 0 || ls.Length > 0)
{
xq.Append(" and ");
}
xq.Append("(");
xq.Append(iid.ToString());
xq.Append(")");
}
xq.Append("]]");
}
EventLogQuery subscriptionQuery = new EventLogQuery(decription.EventLogName, PathType.LogName, xq.ToString());
watcher = new EventLogWatcher(subscriptionQuery);
watcher.EventRecordWritten += new EventHandler <EventRecordWrittenEventArgs>(EventLogEventRead);
}
public void OnSessionChange(SessionChangeDescription sessionChange)
{
var wtsSessionId = sessionChange.SessionId;
var logprefix = "SessionMon #" + wtsSessionId.ToString("D2") + " [" + sessionChange.Reason.ToString() + "]: ";
//EventLog.WriteEntry("OnSessionChange", changeDescription.Reason.ToString() + " Session ID: " + changeDescription.SessionId.ToString());
Log(logprefix + "@");
WTS.SessionInfo wtsInfo;
var utcNow = DateTime.UtcNow;
try
{
switch (sessionChange.Reason)
{
// SessionLogon
case SessionChangeReason.SessionLogon:
Thread.Sleep(3000 * 1); // Wait for session to be logged in event log
var provider = "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational";
var fromUtc = utcNow.Subtract(TimeSpan.FromMinutes(1));
//var toUtc = utcNow.Add(TimeSpan.FromMinutes(1));
var query = "*[" +
"(System/EventID=21 and UserData/EventXML/SessionID=" + wtsSessionId + ")" +
" and " +
"System[TimeCreated[@SystemTime>'" + fromUtc.ToString("yyyy-MM-dd") + "T" + fromUtc.ToString("HH:mm:ss") + ".000000000Z" + "']]" +
/*" and " +
* "System[TimeCreated[@SystemTime<'" + toUtc.ToString("yyyy-MM-dd") + "T" + toUtc.ToString("HH:mm:ss") + ".000000000Z" + "']] " +*/
"]";
var eventsQuery = new EventLogQuery(provider, PathType.LogName, query);
{
var logReader = new EventLogReader(eventsQuery);
for (var evt = logReader.ReadEvent(); evt != null; evt = logReader.ReadEvent())
{
var xmldoc = new XmlDocument();
var xml = evt.ToXml();
var ns = new XmlNamespaceManager(xmldoc.NameTable);
//ns.AddNamespace("ns", "http://schemas.microsoft.com/win/2004/08/events/event");
ns.AddNamespace("ns", "Event_NS");
xmldoc.LoadXml(xml);
var nodes = xmldoc.SelectNodes("//ns:*", ns);
if (nodes != null)
{
int _wtsSessionId = -1;
string user = null, addr = null;
for (int i = 0; i < nodes.Count; i++)
{
if (nodes[i].Name == "SessionID")
{
int.TryParse(nodes[i].InnerText, out _wtsSessionId);
}
if (nodes[i].Name == "User")
{
user = nodes[i].InnerText;
}
if (nodes[i].Name == "Address")
{
addr = nodes[i].InnerText;
}
}
Log(logprefix + "session=" + _wtsSessionId + ", user="******", addr=" + addr);
if (_wtsSessionId != -1)
{
wtsInfo = WTS.QuerySessionInfo(_wtsSessionId);
if (wtsInfo != null)
{
using (var db = new LiteDatabase("Filename=" + Utils.MyPath("RdpMon.db") + ";utc=true"))
{
var table = db.GetCollection <Session>("Session");
var session = new Session
{
SessionUid = Session.GetSessionUid(_wtsSessionId, wtsInfo.LogonTime),
WtsSessionId = _wtsSessionId,
Start = wtsInfo.LogonTime,
End = null,
User = wtsInfo.UserName,
Addr = addr,
Flags = 0,
};
table.Insert(session);
DbProps.Set(db, "LastSessionChange", DateTime.UtcNow);
}
}
else
{
Log(logprefix + "* could not find WTS session #" + _wtsSessionId);
}
}
else
{
Log(logprefix + "* could not parse session ID from event log: " + xml);
}
}
else
{
Log(logprefix + "* could not read event log: " + xml);
}
}
}
break;
// SessionLogoff
case SessionChangeReason.SessionLogoff:
wtsInfo = WTS.QuerySessionInfo(wtsSessionId);
if (wtsInfo != null)
{
using (var db = new LiteDatabase("Filename=" + Utils.MyPath("RdpMon.db") + ";utc=true"))
{
var table = db.GetCollection <Session>("Session");
var sessionUID = Session.GetSessionUid(wtsSessionId, wtsInfo.LogonTime);
var session = table.FindById(sessionUID);
if (session != null)
{
session.End = DateTime.UtcNow;
table.Update(session);
}
DbProps.Set(db, "LastSessionChange", DateTime.UtcNow);
}
}
else
{
Log(logprefix + "* could not find WTS session #" + wtsSessionId);
}
break;
// Other events
default:
break;
}
}
catch (Exception ex)
{
Log(logprefix + "* exception: " + ex.ToString());
}
}
} //ETWTraceInBackground_Start_SYSTEM()
private void ETWTraceInBackground_DoWork_SYSTEM(object sender, DoWorkEventArgs e)
{
// This is the background thread
int count = 0;
string etwclass = e.Argument as string;
BackgroundWorker worker = sender as BackgroundWorker;
Thread.CurrentThread.Name = "ETWReaderSYSTEM";
//Thread.CurrentThread.Priority = ThreadPriority.BelowNormal;
try
{
string sQuery = "*[System/Level>0]";
EventLogQuery Q_Operational = new EventLogQuery(etwclass, PathType.LogName, sQuery);
EventBookmark Ev_OperationalBookmark = null;
EventLogReader R_Operational;
R_Operational = new EventLogReader(Q_Operational); // Walk through existing list to create a bookmark
R_Operational.Seek(System.IO.SeekOrigin.End, 0);
for (EventRecord eventInstance = R_Operational.ReadEvent();
null != eventInstance;
eventInstance = R_Operational.ReadEvent())
{
Ev_OperationalBookmark = eventInstance.Bookmark;
}
R_Operational.Dispose();
WaitingForEventStart_SYSTEM = false;
worker.ReportProgress(count++);
while (!worker.CancellationPending && !PleaseStopCollecting)
{
Thread.Sleep(1000);
R_Operational = new EventLogReader(Q_Operational, Ev_OperationalBookmark);
for (EventRecord eventInstance = R_Operational.ReadEvent();
null != eventInstance;
eventInstance = R_Operational.ReadEvent())
{
Ev_OperationalBookmark = eventInstance.Bookmark;
try
{
DateTime et = eventInstance.TimeCreated.GetValueOrDefault();
EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId,
eventInstance.LogName, "System", eventInstance.Id.ToString(), eventInstance.LevelDisplayName, eventInstance.FormatDescription(), "");
//SYSTEM_ITEM item = new SYSTEM_ITEM(eventInstance.LevelDisplayName, eventInstance.FormatDescription(), eventInstance.ProviderName, eventInstance.Id, eventInstance.ProcessId);
worker.ReportProgress(count++, eItem);
}
catch
{
// app provider might be virtual or missing
string leveldisplayname = "";
string stuff = "Formatter not available. Details:";
int ProcessId = -1;
int ThreadId = -1;
switch (eventInstance.Level)
{
case 1:
leveldisplayname = "Critical";
break;
case 2:
leveldisplayname = "Error";
break;
case 3:
leveldisplayname = "Warning";
break;
case 4:
leveldisplayname = "Information";
break;
default:
break;
}
foreach (EventProperty p in eventInstance.Properties)
{
stuff += p.Value.ToString() + " ";
}
if (eventInstance.ProcessId != null)
{
ProcessId = (int)eventInstance.ProcessId;
}
if (eventInstance.ThreadId != null)
{
ThreadId = (int)eventInstance.ThreadId;
}
DateTime et = eventInstance.TimeCreated.GetValueOrDefault();
EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId,
eventInstance.LogName, "System", eventInstance.Id.ToString(), leveldisplayname, stuff, "");
worker.ReportProgress(count++, eItem);
}
}
R_Operational.Dispose();
}
}
catch
{
WaitingForEventStart_SYSTEM = false;
}
} // ETWTraceInBackground_DoWork_SYSTEM()
public EventLogInput(InputElement input, SelectorElement selector, EventQueue equeue)
: base(input, selector, equeue)
{
Log.Info("input[" + InputName + "]/selector[" + SelectorName
+ "] creating EventLogInput");
// Event log query with suppressed events logged by this service
StringBuilder qstr = new StringBuilder();
qstr.Append("<QueryList>");
qstr.Append("<Query>");
qstr.Append(selector.Query.Value);
qstr.Append("<Suppress Path=\"Application\">*[System/Provider/@Name=\"F2B\"]</Suppress>");
qstr.Append("</Query>");
qstr.Append("</QueryList>");
EventLogSession session = null;
if (input.Server != string.Empty)
{
SecureString pw = new SecureString();
Array.ForEach(input.Password.ToCharArray(), pw.AppendChar);
session = new EventLogSession(input.Server, input.Domain,
input.Username, pw,
SessionAuthentication.Default);
pw.Dispose();
}
EventLogQuery query = new EventLogQuery(null, PathType.LogName, qstr.ToString());
if (session != null)
{
query.Session = session;
}
// create event watcher (must be enable later)
watcher = new EventLogWatcher(query);
watcher.EventRecordWritten +=
new EventHandler <EventRecordWrittenEventArgs>(
(s, a) => EventRead(s, a));
// event data parsers (e.g. XPath + regex to extract event data)
// (it is important to preserve order - it is later used as array index)
evtregexs = new List <EventLogParserData>();
List <string> xPathRefs = new List <string>();
foreach (RegexElement item in selector.Regexes)
{
if (string.IsNullOrEmpty(item.XPath))
{
Log.Warn("Invalid input[" + InputName + "]/selector[" + SelectorName
+ "] event regexp \"" + item.Id + "\" attribute xpath empty");
continue;
}
if (!xPathRefs.Contains(item.XPath))
{
xPathRefs.Add(item.XPath);
}
try
{
int index = xPathRefs.IndexOf(item.XPath);
EventLogParserData eli = new EventLogParserData(item.Id, item.Type, item.XPath, index, item.Value);
evtregexs.Add(eli);
}
catch (ArgumentException ex)
{
Log.Error("Invalid input[" + InputName + "]/selector[" + SelectorName
+ "] event regexp failed: " + ex.Message);
throw;
}
}
evtsel = null;
if (xPathRefs.Count > 0)
{
evtsel = new EventLogPropertySelector(xPathRefs);
}
// user defined event properties
evtdata_before = new List <EventDataElement>();
evtdata_match = new List <KeyValuePair <string, EventDataElement> >();
evtdata_after = new List <EventDataElement>();
foreach (EventDataElement item in selector.EventData)
{
if (item.Apply == "before")
{
evtdata_before.Add(item);
}
else if (item.Apply == "after")
{
evtdata_after.Add(item);
}
else if (item.Apply.StartsWith("match."))
{
string key = item.Apply.Substring("match.".Length);
evtdata_match.Add(new KeyValuePair <string, EventDataElement>(key, item));
}
else
{
Log.Warn("Invalid input[" + InputName + "]/selector[" + SelectorName
+ "] event data \"" + item.Name + "\" attribute apply \""
+ item.Apply + "\": ignoring this item");
}
}
}
public void EventLogRecord_CheckProperties_RemainSame()
{
if (PlatformDetection.IsWindows7) // Null events in PowerShell log
{
return;
}
SecurityIdentifier userId;
byte? version, level;
short? opcode;
Guid? providerId, activityId, relatedActivityId;
int? processId, threadId, qualifiers, task;
long? keywords, recordId;
string providerName, machineName, containerLog;
DateTime? timeCreated;
IEnumerable <int> matchedQueryIds;
EventBookmark bookmark, bookmarkArg = Helpers.GetBookmark("Application", PathType.LogName);
var query = new EventLogQuery("Application", PathType.LogName, "*[System]")
{
ReverseDirection = true
};
var eventLog = new EventLogReader(query, bookmarkArg);
using (eventLog)
{
using (var record = (EventLogRecord)eventLog.ReadEvent())
{
userId = record.UserId;
version = record.Version;
opcode = record.Opcode;
providerId = record.ProviderId;
processId = record.ProcessId;
recordId = record.RecordId;
threadId = record.ThreadId;
qualifiers = record.Qualifiers;
level = record.Level;
keywords = record.Keywords;
task = record.Task;
providerName = record.ProviderName;
machineName = record.MachineName;
timeCreated = record.TimeCreated;
containerLog = record.ContainerLog;
matchedQueryIds = record.MatchedQueryIds;
activityId = record.ActivityId;
relatedActivityId = record.RelatedActivityId;
bookmark = record.Bookmark;
}
}
using (eventLog = new EventLogReader(query, bookmarkArg))
{
using (var record = (EventLogRecord)eventLog.ReadEvent())
{
Assert.Equal(userId, record.UserId);
Assert.Equal(version, record.Version);
Assert.Equal(opcode, record.Opcode);
Assert.Equal(providerId, record.ProviderId);
Assert.Equal(processId, record.ProcessId);
Assert.Equal(recordId, record.RecordId);
Assert.Equal(threadId, record.ThreadId);
Assert.Equal(qualifiers, record.Qualifiers);
Assert.Equal(level, record.Level);
Assert.Equal(keywords, record.Keywords);
Assert.Equal(task, record.Task);
Assert.Equal(providerName, record.ProviderName);
Assert.Equal(machineName, record.MachineName);
Assert.Equal(timeCreated, record.TimeCreated);
Assert.Equal(containerLog, record.ContainerLog);
Assert.Equal(matchedQueryIds, record.MatchedQueryIds);
Assert.Equal(activityId, record.ActivityId);
Assert.Equal(relatedActivityId, record.RelatedActivityId);
Assert.NotNull(record.Bookmark);
Assert.NotEqual(bookmark, record.Bookmark);
}
}
}
private static void GetEvents(
string filePath,
string computerFqdn,
string logName,
IReadOnlyList <int> eventIds,
IReadOnlyList <int> eventIdToSuppress,
DateTime startDate,
DateTime endDate)
{
Console.WriteLine("{0} - {1} FilePath: {2} Computer: {3} LogName: {4} EventIds: {5} EventIdsToSuppress: {6} Start Date: {7} End Date: {8}",
DateTime.Now.YMDHMSFriendly(), ObjectExtensions.CurrentMethodName(),
!string.IsNullOrWhiteSpace(filePath) ? filePath : "N/A",
!string.IsNullOrWhiteSpace(computerFqdn) ? computerFqdn : "N/A",
!string.IsNullOrWhiteSpace(logName) ? logName : "N/A",
(eventIds.Count > 0) ? eventIds.ToDelimitedString() : "<All Events>",
(eventIdToSuppress.Count > 0) ? eventIdToSuppress.ToDelimitedString() : "<No Events>",
startDate.YMDFriendly(), endDate.YMDFriendly());
long eventsProcessed = 0;
var stopwatch = Stopwatch.StartNew();
var eventReadTimeout = TimeSpan.FromMinutes(5);
if (!string.IsNullOrWhiteSpace(filePath))
{
if (!filePath.EndsWith(".EVTX", StringComparison.OrdinalIgnoreCase))
{
Console.WriteLine($"{DateTime.Now.YMDHMSFriendly()} - {ObjectExtensions.CurrentMethodName()} File: {filePath} if not .XML, file must be an .EVTX file type. Exiting.");
return;
}
}
try {
#region Construct event query filter
var path = !string.IsNullOrWhiteSpace(logName)
? logName
: filePath;
var eventIdsFilter = new StringBuilder();
if (eventIds.Count > 0)
{
eventIdsFilter.Append("(");
for (int index = 0; index < eventIds.Count; index++)
{
eventIdsFilter.Append($"EventID={eventIds[index]}");
if (index < eventIds.Count - 1)
{
eventIdsFilter.Append(" or ");
}
}
eventIdsFilter.Append(") and ");
}
var query = $"*[System[{eventIdsFilter.ToString()}TimeCreated[@SystemTime>='{startDate.YMDFriendly()}T00:00:00.000Z' and @SystemTime<'{endDate.Add(TimeSpan.FromDays(1)).YMDFriendly()}T00:00:00.000Z']]]";
var suppressionQuery = string.Empty;
if (eventIdToSuppress.Count > 0)
{
var eventIdsToSuppressFilter = new StringBuilder();
eventIdsToSuppressFilter.Append("(");
for (int index = 0; index < eventIdToSuppress.Count; index++)
{
eventIdsToSuppressFilter.Append($"EventID={eventIdToSuppress[index]}");
if (index < eventIdToSuppress.Count - 1)
{
eventIdsToSuppressFilter.Append(" or ");
}
}
eventIdsToSuppressFilter.Append(")");
suppressionQuery = $"<Suppress Path=\"{path}\">*[System[{eventIdsToSuppressFilter.ToString()}]]</Suppress>";
}
var fullQuery = new StringBuilder();
fullQuery.Append("<QueryList>");
fullQuery.Append($"<Query Id=\"0\" Path=\"{path}\">");
fullQuery.Append($"<Select Path=\"{path}\">{query}</Select>");
if (!string.IsNullOrWhiteSpace(suppressionQuery))
{
fullQuery.Append(suppressionQuery);
}
fullQuery.Append("</Query>");
fullQuery.Append("</QueryList>");
Console.WriteLine($"{DateTime.Now.YMDHMSFriendly()} - {ObjectExtensions.CurrentMethodName()} Event query: {fullQuery}");
#endregion
EventLogQuery eventLogQuery = null;
EventLogSession session = null;
try {
if (!string.IsNullOrWhiteSpace(computerFqdn))
{
eventLogQuery = new EventLogQuery(logName, PathType.LogName, fullQuery.ToString());
session = new EventLogSession(computerFqdn);
eventLogQuery.Session = session;
}
else
{
eventLogQuery = new EventLogQuery(filePath, PathType.FilePath, fullQuery.ToString());
}
eventLogQuery.ReverseDirection = EventLogQueryReverseDirection;
using (var eventLogReader = new EventLogReader(eventLogQuery)) {
EventRecord eventRecord = null;
string eventRecordXml = string.Empty;
do
{
eventRecord = null;
eventRecordXml = string.Empty;
#region Read event from event log
try {
eventRecord = eventLogReader.ReadEvent(eventReadTimeout);
if (eventRecord == null)
{
break;
}
eventsProcessed++;
eventRecordXml = eventRecord.ToXml();
if (string.IsNullOrWhiteSpace(eventRecordXml))
{
continue;
}
if (GetEventFromXml(eventRecordXml) != 0)
{
continue;
}
}
catch (XmlException e) {
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"Error parsing event record Xml:{eventRecordXml ?? "NULL"}");
Console.WriteLine(e.VerboseExceptionString());
Console.ResetColor();
continue;
}
catch (EventLogException e) {
if (Regex.IsMatch(e.Message, "The array bounds are invalid", RegexOptions.IgnoreCase))
{
continue;
}
if (Regex.IsMatch(e.Message, "The data area passed to a system call is too small", RegexOptions.IgnoreCase))
{
continue;
}
throw;
}
#endregion
#region Log statistics
if (eventsProcessed % 5000 == 0)
{
Console.WriteLine($"{DateTime.Now.YMDHMSFriendly()} Events processed: {eventsProcessed}");
}
#endregion
} while (eventRecord != null);
}
}
finally {
if (session != null)
{
try {
session.Dispose();
}
catch { }
}
}
}
catch (Exception e) {
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Error parsing events");
Console.WriteLine(e.VerboseExceptionString());
Console.ResetColor();
throw;
}
}
/// <summary>
///
/// </summary>
protected void InitialStatusGet()
{
try
{
/** Leer la lista de eventos */
#if OLD_1
EventLogQuery logquery = new EventLogQuery(LogName, FileInsteadLog ? PathType.FilePath : PathType.LogName);
List <EventRecord> Entries = new List <EventRecord>();
EventLogReader elr = new EventLogReader(logquery);
EventRecord entry;
while ((entry = elr.ReadEvent()) != null)
{
if (entry.Id == DownEventId || entry.Id == UpEventId)
{
Entries.Add(entry);
}
}
#endif
#if OLD
/** Separarlos */
List <EventRecord> last_lan1_ev_down = Entries.Where(e => DownEventId == (e.Id) && e.ToXml().Contains(Lan1Device)).OrderByDescending(e => e.TimeCreated).ToList();
List <EventRecord> last_lan2_ev_down = Entries.Where(e => DownEventId == (e.Id) && e.ToXml().Contains(Lan2Device)).OrderByDescending(e => e.TimeCreated).ToList();
List <EventRecord> last_lan1_ev_up = Entries.Where(e => UpEventId == (e.Id) && e.ToXml().Contains(Lan1Device)).OrderByDescending(e => e.TimeCreated).ToList();
List <EventRecord> last_lan2_ev_up = Entries.Where(e => UpEventId == (e.Id) && e.ToXml().Contains(Lan2Device)).OrderByDescending(e => e.TimeCreated).ToList();
long last_lan1_down = last_lan1_ev_down.Count == 0 ? DateTime.MinValue.Ticks : last_lan1_ev_down[0].TimeCreated.Value.Ticks;
long last_lan2_down = last_lan2_ev_down.Count == 0 ? DateTime.MinValue.Ticks : last_lan2_ev_down[0].TimeCreated.Value.Ticks;
long last_lan1_up = last_lan1_ev_up.Count == 0 ? DateTime.MinValue.Ticks : last_lan1_ev_up[0].TimeCreated.Value.Ticks;
long last_lan2_up = last_lan2_ev_up.Count == 0 ? DateTime.MinValue.Ticks : last_lan2_ev_up[0].TimeCreated.Value.Ticks;
Lan1Status = last_lan1_up > last_lan1_down ? LanStatus.Up : LanStatus.Down;
Lan2Status = last_lan2_up > last_lan2_down ? LanStatus.Up : LanStatus.Down;
#elif OLD_1
for (int lan = 0; lan < NICList.Count; lan++)
{
string LanDevice = NICList[lan].DeviceId;
List <EventRecord> last_lan_ev_down = Entries.Where(e => DownEventId == (e.Id) && e.ToXml().Contains(LanDevice)).OrderByDescending(e => e.TimeCreated).ToList();
List <EventRecord> last_lan_ev_up = Entries.Where(e => UpEventId == (e.Id) && e.ToXml().Contains(LanDevice)).OrderByDescending(e => e.TimeCreated).ToList();
long last_lan_down = last_lan_ev_down.Count == 0 ? DateTime.MinValue.Ticks : last_lan_ev_down[0].TimeCreated.Value.Ticks;
long last_lan_up = last_lan_ev_up.Count == 0 ? DateTime.MinValue.Ticks : last_lan_ev_up[0].TimeCreated.Value.Ticks;
NICList[lan].Status = last_lan_up > last_lan_down ? LanStatus.Up : LanStatus.Down;
}
#else
for (int lan = 0; lan < NICList.Count; lan++)
{
string LanDevice = NICList[lan].DeviceId;
List <EventRecord> last_lan_ev_down = _LogEntries.Where(e => DownEventId == (e.Id) && e.ToXml().Contains(LanDevice)).OrderByDescending(e => e.TimeCreated).ToList();
List <EventRecord> last_lan_ev_up = _LogEntries.Where(e => UpEventId == (e.Id) && e.ToXml().Contains(LanDevice)).OrderByDescending(e => e.TimeCreated).ToList();
long last_lan_down = last_lan_ev_down.Count == 0 ? DateTime.MinValue.Ticks : last_lan_ev_down[0].TimeCreated.Value.Ticks;
long last_lan_up = last_lan_ev_up.Count == 0 ? DateTime.MinValue.Ticks : last_lan_ev_up[0].TimeCreated.Value.Ticks;
NICList[lan].Status = last_lan_up > last_lan_down ? LanStatus.Up : LanStatus.Down;
}
#endif
}
catch (Exception x)
{
_Logger.Error(String.Format("NICEventMonitor InitialStatusGet Exception {0}", x.Message), x);
RaiseMessageError(x.Message);
}
}
internal EventLogReaderAdapter(EventLogQuery query)
{
this.reader = new EventLogReader(query);
}
private static bool GetEntries(ref List <EventEntry> eventList, string logName, EventLogSession session, DateTime startTime, DateTime endTime, int maxLevel, bool bQuiet)
{ // read all event log entries matching in EventEntry list
string eventQuery;
if (maxLevel == 0)
{
// query for all information levels
eventQuery = string.Format("*[System/TimeCreated/@SystemTime > '{0}'] and *[System/TimeCreated/@SystemTime <= '{1}']", startTime.ToUniversalTime().ToString("o"), endTime.ToUniversalTime().ToString("o"));
}
else
{
// level: LogAlways - 0, Critical - 1, Error - 2, Warning - 3, Informational - 4, Verbose - 5
// there are different levels for auditing logs!
eventQuery = string.Format("*[System/TimeCreated/@SystemTime > '{0}'] and *[System/TimeCreated/@SystemTime <= '{1}'] and *[System/Level <= {2}]", startTime.ToUniversalTime().ToString("o"), endTime.ToUniversalTime().ToString("o"), maxLevel.ToString());
}
// define event log query
EventLogQuery eventLogQuery = new EventLogQuery(logName, PathType.LogName, eventQuery);
eventLogQuery.Session = session;
try
{ // start query
EventLogReader eventLogReader = new EventLogReader(eventLogQuery);
int count = 0;
for (EventRecord eventRecord = eventLogReader.ReadEvent(); eventRecord != null; eventRecord = eventLogReader.ReadEvent())
{ // enumerate all found events
count++;
// read Event details
DateTime timeCreated = DateTime.Now;
if (eventRecord.TimeCreated.HasValue)
{
timeCreated = eventRecord.TimeCreated.Value;
}
string eventLevel;
try {
eventLevel = eventRecord.LevelDisplayName;
if (eventRecord.Level == 0)
{
eventLevel = "LogAlways";
}
}
catch {
eventLevel = "Unknown";
}
try
{
if (!String.IsNullOrEmpty(eventRecord.FormatDescription()))
{ // create log entry in list
eventList.Add(new EventEntry(timeCreated, logName, eventRecord.Id, eventRecord.ProviderName, eventLevel, eventRecord.FormatDescription()));
}
else
{ // description not available, try to interpret raw data
string rawDescription = "";
foreach (EventProperty eventProperty in eventRecord.Properties)
{
rawDescription += eventProperty.Value.ToString();
}
// create log entry in list
eventList.Add(new EventEntry(timeCreated, logName, eventRecord.Id, eventRecord.ProviderName, eventLevel, rawDescription));
}
}
catch (Exception e)
{ // create log entry in list with error message
eventList.Add(new EventEntry(timeCreated, logName, eventRecord.Id, eventRecord.ProviderName, eventLevel, "### Error reading the event log entry: " + e.Message));
}
}
if (!bQuiet)
{
Console.WriteLine("Processed event log \"" + logName + "\": " + count + " entries");
}
return(true);
}
catch (Exception e)
{
Console.Error.WriteLine("Error opening the event log \"" + logName + "\": " + e.Message);
return(false);
}
}
public static IReadOnlyList <SecurityEvent> ReadAll()
{
var events = new List <SecurityEvent>();
// To investigate as a separate report:
// 4625 An account failed to log on.
// 4648 A logon was attempted using explicit credentials.
// 4672 Special privileges assigned to new logon.
// 4675 SIDs were filtered.
// 4797 Sometimes "An attempt was made to query the existence of a blank password for an account."
// Logoff events without logon events
var query = new EventLogQuery(
"Security",
PathType.LogName,
@"*[(((System[EventID=4624] and EventData[Data[@Name='LogonType']!=5]) or System[EventID=4634])
and EventData[
Data[@Name='TargetUserSid']!='S-1-0-0'
and Data[@Name='TargetUserSid']!='S-1-5-7'
and Data[@Name='TargetUserSid']!='S-1-5-18'
and Data[@Name='TargetDomainName']!='Font Driver Host'
and Data[@Name='TargetDomainName']!='Window Manager'])
or System[EventID=4647 or EventID=4608]]");
using (var loginEventPropertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetLogonId']",
"Event/EventData/Data[@Name='TargetLinkedLogonId']",
"Event/EventData/Data[@Name='TargetUserSid']",
"Event/EventData/Data[@Name='TargetUserName']",
"Event/EventData/Data[@Name='TargetDomainName']",
"Event/EventData/Data[@Name='LogonType']",
"Event/EventData/Data[@Name='ElevatedToken']",
"Event/EventData/Data[@Name='WorkstationName']",
"Event/EventData/Data[@Name='ProcessName']",
"Event/EventData/Data[@Name='IpAddress']",
"Event/EventData/Data[@Name='IpPort']"
}))
using (var logoffEventPropertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetLogonId']",
"Event/EventData/Data[@Name='TargetUserSid']"
}))
using (var reader = new EventLogReader(query))
{
while (reader.ReadEvent() is { } ev)
{
switch (ev.Id)
{
case 4608:
events.Add(new StartupEvent(ev.TimeCreated.Value));
break;
case 4624:
var loginPropertyValues = ((EventLogRecord)ev).GetPropertyValues(loginEventPropertySelector);
events.Add(new LogonEvent(
ev.TimeCreated.Value,
logonId: (ulong)loginPropertyValues[0],
linkedLogonId: (ulong)loginPropertyValues[1],
user: (SecurityIdentifier)loginPropertyValues[2],
userName: (string)loginPropertyValues[3],
domainName: (string)loginPropertyValues[4],
logonType: (LogonType)(uint)loginPropertyValues[5],
elevatedToken: loginPropertyValues[6] is "%%1842",
workstationName: GetXPathString(loginPropertyValues[7]),
processName: GetXPathString(loginPropertyValues[8]),
ipAddress: GetXPathString(loginPropertyValues[9]),
ipPort: GetXPathString(loginPropertyValues[10])));
break;
case 4634:
case 4647:
var logoffPropertyValues = ((EventLogRecord)ev).GetPropertyValues(logoffEventPropertySelector);
events.Add(new LogoffEvent(
ev.TimeCreated.Value,
logonId: (ulong)logoffPropertyValues[0],
user: (SecurityIdentifier)logoffPropertyValues[1]));
break;
}
}
}
return(events);
}
private void Run()
{
try
{
//Init Worker Thread
LoadConfiguration();
//prepare datastructures
Dictionary <string, List <LogTask> > requiredEventTypesToLogTasks = new Dictionary <string, List <LogTask> >();
foreach (LogTask l in _logTasks)
{
foreach (string s in l.EventPath)
{
if (!requiredEventTypesToLogTasks.ContainsKey(s))
{
requiredEventTypesToLogTasks[s] = new List <LogTask>();
}
requiredEventTypesToLogTasks[s].Add(l);
}
}
var eventTypesToLastEvent = new Dictionary <string, DateTime>();
var eventTypesToMaxAge = new Dictionary <string, int>();
var eventTypesToNewEvents = new Dictionary <string, List <EventRecord> >();
var eventTypesToTimeFramedEvents = new Dictionary <string, List <EventRecord> >();
//load structure so that only required events are read
foreach (string requiredEventType in requiredEventTypesToLogTasks.Keys)
{
eventTypesToLastEvent.Add(requiredEventType, DateTime.Now);
eventTypesToMaxAge.Add(requiredEventType, 0);
foreach (LogTask t in requiredEventTypesToLogTasks[requiredEventType])
{
if (!t.OnlyNew && eventTypesToMaxAge[requiredEventType] < t.EventAge)
{
eventTypesToMaxAge[requiredEventType] = t.EventAge;
}
}
}
//start monitoring the logs
while (true)
{
DateTime scanStart = DateTime.Now;
if (_verbose)
{
Dump("Scanning the logs now.", EventLogEntryType.Information, true);
}
DateTime referenceTimeForTimeFramedEvents = DateTime.Now;
try
{
eventTypesToNewEvents.Clear();
eventTypesToTimeFramedEvents.Clear();
//first read all relevant events (events that are required by any of the tasks)
foreach (string requiredEventType in requiredEventTypesToLogTasks.Keys)
{
eventTypesToNewEvents.Add(requiredEventType, new List <EventRecord>());
eventTypesToTimeFramedEvents.Add(requiredEventType, new List <EventRecord>());
var eventLogQuery = new EventLogQuery(requiredEventType, PathType.LogName)
{
ReverseDirection = true
};
try
{
var eventLogReader = new EventLogReader(eventLogQuery);
EventRecord r;
while ((r = eventLogReader.ReadEvent()) != null)
{
if (!r.TimeCreated.HasValue)
{
continue;
}
bool canbreak = false;
//fill new event list
if (r.TimeCreated > eventTypesToLastEvent[requiredEventType])
{
eventTypesToNewEvents[requiredEventType].Add(r);
eventTypesToLastEvent[requiredEventType] = r.TimeCreated.Value;
}
else
{
canbreak = true;
}
//fill time framed event list
if (r.TimeCreated > referenceTimeForTimeFramedEvents.Subtract(new TimeSpan(0, 0, eventTypesToMaxAge[requiredEventType])))
{
eventTypesToTimeFramedEvents[requiredEventType].Add(r);
}
else if (canbreak)
{
break;
}
}
}
catch (EventLogNotFoundException)
{
Dump($"Event Log {requiredEventType} was not found, tasks that require these events will not work", EventLogEntryType.Warning);
}
}
if (_verbose)
{
Dump($"Scanning finished in {DateTime.Now.Subtract(scanStart).TotalMilliseconds}[ms] ", EventLogEntryType.Information, true);
}
//then supply the events to the requesting tasks
foreach (string key in requiredEventTypesToLogTasks.Keys)
{
foreach (LogTask t in requiredEventTypesToLogTasks[key])
{
if (t.OnlyNew)
{
t.ProvideEvents(eventTypesToNewEvents[key]);
}
else
{
var eventsForThisTask = new List <EventRecord>();
foreach (EventRecord e in eventTypesToTimeFramedEvents[key])
{
if (e.TimeCreated > referenceTimeForTimeFramedEvents.Subtract(new TimeSpan(0, 0, t.EventAge)))
{
eventsForThisTask.Add(e);
}
}
if (_verbose)
{
Dump($"Provided {eventsForThisTask.Count} events for {t.Name}", EventLogEntryType.Information, true);
}
if (eventsForThisTask.Count > 0)
{
DateTime start = DateTime.Now;
t.ProvideEvents(eventsForThisTask);
if (DateTime.Now.Subtract(start).TotalMilliseconds > 500)
{
Dump($"Warning: Task {t.Name} takes a lot of resources. This can make your server vulnerable to DOS attacks. Try better boosters.", EventLogEntryType.Warning);
}
}
}
}
}
List <IPAddress> blackList = new List <IPAddress>();
//let the tasks poll which ips they want to have blocked / or permanently banned
foreach (LogTask t in _logTasks)
{
if (t is IPBlockingLogTask ipTask)
{
foreach (IPAddress perma in ipTask.GetPermaBanVictims())
{
SetPermanentBan(perma);
}
List <IPAddress> blockedIPs = ipTask.GetTempBanVictims();
if (_verbose)
{
Dump($"Polled {t.Name} and got {blockedIPs.Count} temporary and {_permaBannedIPs.Count} permanent ban(s)", EventLogEntryType.Information, true);
}
foreach (IPAddress blockedIP in blockedIPs)
{
if (!blackList.Contains(blockedIP))
{
blackList.Add(blockedIP);
}
}
}
}
_lastPolledTempBans = blackList;
DoBan();
}
catch (Exception executionException)
{
Dump(executionException, EventLogEntryType.Error);
}
//wait for next iteration or kill signal
try
{
Thread.Sleep(Constants.ThreadSleep);
}
catch (ThreadInterruptedException)
{
}
//check if need to terminate
bool terminate;
lock (_syncObject)
{
terminate = _stop;
}
if (terminate)
{
try
{
FirewallAPI.ClearIPBanList();
}
catch (Exception ex)
{
Dump(ex, EventLogEntryType.Warning);
}
return;
}
}
}
catch (Exception e)
{
Dump(e, EventLogEntryType.Error);
Stop();
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
const string eventId = "4648";
string? userFilterRegex = null;
// grab events from the last X days - 7 for default, 30 for "-full" collection
// Always use the user-supplied value, if specified
var lastDays = 7;
if (args.Length >= 1)
{
if (!int.TryParse(args[0], out lastDays))
{
WriteError("Argument is not an integer");
yield break;
}
}
else
{
if (!Runtime.FilterResults)
{
lastDays = 30;
}
}
WriteHost("Listing 4648 Explicit Credential Events - A process logged on using plaintext credentials");
if (args.Length >= 2)
{
userFilterRegex = args[1];
WriteHost($"Username Filter: {userFilterRegex}");
}
WriteHost("Output Format:");
WriteHost(" --- TargetUser,ProcessResults,SubjectUser,IpAddress ---");
WriteHost(" <Dates the credential was used to logon>\n\n");
var startTime = DateTime.Now.AddDays(-lastDays);
var endTime = DateTime.Now;
if (!SecurityUtil.IsHighIntegrity())
{
WriteError("Unable to collect. Must be an administrator.");
yield break;
}
var query = $@"*[System/EventId={eventId}] and *[System[TimeCreated[@SystemTime >= '{startTime.ToUniversalTime():o}']]] and *[System[TimeCreated[@SystemTime <= '{endTime.ToUniversalTime():o}']]]";
var eventsQuery = new EventLogQuery("Security", PathType.LogName, query)
{
ReverseDirection = true
};
var logReader = new EventLogReader(eventsQuery);
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
//string subjectUserSid = eventDetail.Properties[0].Value.ToString();
var subjectUserName = eventDetail.Properties[1].Value.ToString();
var subjectDomainName = eventDetail.Properties[2].Value.ToString();
//var subjectLogonId = eventDetail.Properties[3].Value.ToString();
//var logonGuid = eventDetail.Properties[4].Value.ToString();
var targetUserName = eventDetail.Properties[5].Value.ToString();
var targetDomainName = eventDetail.Properties[6].Value.ToString();
//var targetLogonGuid = eventDetail.Properties[7].Value.ToString();
//var targetServerName = eventDetail.Properties[8].Value.ToString();
//var targetInfo = eventDetail.Properties[9].Value.ToString();
//var processId = eventDetail.Properties[10].Value.ToString();
var processName = eventDetail.Properties[11].Value.ToString();
var ipAddress = eventDetail.Properties[12].Value.ToString();
//var IpPort = eventDetail.Properties[13].Value.ToString();
// Ignore the current machine logging on and
if (Runtime.FilterResults && Regex.IsMatch(targetUserName, Environment.MachineName) ||
Regex.IsMatch(targetDomainName, @"^(Font Driver Host|Window Manager)$"))
{
continue;
}
if (userFilterRegex != null && !Regex.IsMatch(targetUserName, userFilterRegex))
{
continue;
}
yield return(new ExplicitLogonEventsDTO()
{
TimeCreated = eventDetail.TimeCreated,
SubjectUser = subjectUserName,
SubjectDomain = subjectDomainName,
TargetUser = targetUserName,
TargetDomain = targetDomainName,
Process = processName,
IpAddress = ipAddress
});
}
}
private static void READ_WindowsEventLog_API(string Eventlog_FullName, long RecordID_From_Last_Read, EventLog_File EventLogName)
{
try
{
EventLogQuery eventsQuery = new EventLogQuery(Eventlog_FullName, PathType.LogName);
EventLogReader EventLogtoReader = new EventLogReader(eventsQuery);
EventLog_Entry SWELF_Eventlog;
while (GET_EventLogEntry_From_API(EventLogtoReader) != null)
{
try
{
SWELF_Eventlog = new EventLog_Entry();
if (Windows_EventLog_from_API.RecordId.Value > RecordID_From_Last_Read)
{
SWELF_Eventlog.CreatedTime = Windows_EventLog_from_API.TimeCreated.Value; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.EventID = Windows_EventLog_from_API.Id; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.LogName = Windows_EventLog_from_API.LogName;
try
{
SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName;
}
catch (Exception e)
{
SWELF_Eventlog.ComputerName = Settings.ComputerName;
}
try
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
}
catch (Exception e)
{
try
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
}
catch
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
}
}
try
{
SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
}
catch (Exception e)
{
SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;//if this doesnt work we have issues that we cant fix
}
try
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
{
SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.FormatDescription().ToLower();
}
else
{
SWELF_Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
}
}
catch (Exception e)
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
{
SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.ToXml();
}
else
{
SWELF_Eventlog.EventData = Windows_EventLog_from_API.ToXml();//if this doesnt work we have issues that we cant fix
}
}
try
{
SWELF_Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
if (string.IsNullOrEmpty(SWELF_Eventlog.GET_XML_of_Log))
{
SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml()";
}
}
catch (Exception e)
{
SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml() Exception Thrown";
}
try
{
SWELF_Eventlog.GET_FileHash();
}
catch (Exception e)
{
//unable to get file hashs from log
}
try
{
SWELF_Eventlog.GET_IP_FromLogFile();
}
catch (Exception e)
{
//unable to get IP values from log
}
try
{
EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog);
}
catch (Exception e)
{
EventLogName.EventlogMissing = true;
}
try
{
EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = Windows_EventLog_from_API.RecordId.Value;
}
catch (Exception e)
{
EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = 0;
}
EventLogName.Enqueue_Log(SWELF_Eventlog);
}
}
catch (Exception e)
{
Error_Operation.Log_Error("INDEX_Record_FROM_API() Missing Event Log(s) Due To Exception with log format while reading in eventlogs.", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
MissingLogInFileDueToException = true;
}
}
try
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
{
Settings.IP_List_EVT_Logs.AddRange(Settings.IP_List_EVT_Logs.Distinct().ToList());
Settings.Hashs_From_EVT_Logs.AddRange(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Settings.IP_List_EVT_Logs.AddRange() OR Settings.Hashs_From_EVT_Logs.AddRange()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
MissingLogInFileDueToException = false;
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_WindowsEventLog_API() Missing All Event Log(s) Due To Exception. ", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString() + " " + Eventlog_FullName + " " + RecordID_From_Last_Read + " " + EventLogName.First_EventLogID_From_Check + " " + EventLogName.Last_EventLogID_From_Check + " " + EventLogName.Contents_of_EventLog.Count, e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
MissingLogInFileDueToException = true;
}
}
private void timer_Tick(object sender, EventArgs e)
{
txb_eventLastDate.Text = string.Empty;
txb_eventData.Text = string.Empty;
eventCount = 0;
eventLog = cb_eventLog.Text;
eventLevel = cb_eventLavel.Text;
eventId = txb_eventId.Text;
eventDataSearch = txb_eventDataSearch.Text;
//eventDataSearch = "Wolf.Playout.exe";
string query = "*[System/EventID=" + eventId + " and " + "System/Level=" + eventLevel + "]";
EventLogQuery eventsQuery = new EventLogQuery(eventLog, PathType.LogName, query);
try
{
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
{
if (eventdetail.FormatDescription().Contains(eventDataSearch))
{
txb_eventLastDate.Text = eventdetail.TimeCreated.ToString();
txb_eventData.Text = eventdetail.FormatDescription();
eventCount++;
//MessageBox.Show(
//eventdetail.TimeCreated.ToString() + "\n" +
//eventdetail.FormatDescription()
//);
//string eventXml = eventdetail.ToXml();
}
}
txb_eventCount.Text = eventCount.ToString();
}
catch (EventLogNotFoundException ex)
{
MessageBox.Show("Error while reading the event logs:\n\n" + ex.Message);
return;
}
timer.Interval = new TimeSpan(Convert.ToInt16(txb_timerH.Text), Convert.ToInt16(txb_timerM.Text), Convert.ToInt16(txb_timerS.Text));
DateTime dt = new DateTime(2010, 1, 1);
if (eventCount > 0)
{
if (txb_eventLastDate.Text.Trim() != "")
{
dt = DateTime.Parse(txb_eventLastDate.Text); //son hata zamanı.
}
}
TimeSpan ts = DateTime.Now - dt; //son hata zamanından sonra geçen süre.
//TimeSpan ts = DateTime.Now.Subtract(dt);
if (ts < timer.Interval) //son timer periyodu içinde yeni bir hata olmuş ise.
{
//MessageBox.Show(
// dt.ToString() + "\n" +
// DateTime.Now.ToString() + "\n\n" +
// ts.ToString() + "\n" +
// timer.Interval.ToString()
//);
eventCountNew++;
txb_eventCountNew.Text = eventCountNew.ToString();
txb_eventCountNew.Foreground = new SolidColorBrush(Colors.Red);
txb_eventLastDate.Foreground = new SolidColorBrush(Colors.Red);
processKill(txb_eventDataSearch.Text.Trim());
Thread.Sleep(500);
System.Windows.Forms.Application.DoEvents();
processStart(txb_eventDataSearch.Text.Trim());
}
}
private void read_single_log_thread(log_info log)
{
string query_string = "*";
if (provider_name != "")
{
query_string = "*[System/Provider/@Name=\"" + provider_name + "\"]";
}
logger.Info("event_log new thread - reading from " + log.log_type);
int max_event_count = int.MaxValue;
// debugging - load much less, faster testing
if (util.is_debug)
{
max_event_count = 250;
}
try {
// we can read the number of entres only for local logs
if (provider_name == "" && log.remote_machine_name == "")
{
var dummy_log = new EventLog(log.log_type);
lock (this)
try {
log.full_log_count_ = dummy_log.Entries.Count;
} catch {
// can't compute on this specific log
log.full_log_count_ = -1;
}
dummy_log.Dispose();
}
// waiting for user to set the password
if (log.remote_machine_name != "")
{
while (remote_password_ == "")
{
Thread.Sleep(100);
}
}
SecureString pwd = new SecureString();
foreach (char c in remote_password_)
{
pwd.AppendChar(c);
}
EventLogSession session = log.remote_machine_name != "" ? new EventLogSession(log.remote_machine_name, remote_domain_name, remote_user_name, pwd, SessionAuthentication.Default) : null;
pwd.Dispose();
EventLogQuery query = new EventLogQuery(log.log_type, PathType.LogName, query_string);
if (are_elements_in_reverse_order)
{
query.ReverseDirection = are_elements_in_reverse_order;
}
if (session != null)
{
query.Session = session;
}
int read_idx = 0;
using (EventLogReader reader = new EventLogReader(query))
for (EventRecord rec = reader.ReadEvent(); rec != null && !log.disposed_ && read_idx++ < max_event_count; rec = reader.ReadEvent())
{
lock (this) {
log.last_events_.Add(rec);
++log.cur_log_count_;
}
}
logger.Info("event_log reading from " + log.log_type + " complete - read " + log.cur_log_count_ + " records");
lock (this)
log.listening_for_new_events_ = true;
// at this point, listen for new events
if (are_elements_in_reverse_order)
{
// if reverse, I need to create another query, or it won't allow watching
query = new EventLogQuery(log.log_type, PathType.LogName, query_string);
if (session != null)
{
query.Session = session;
}
}
using (var watcher = new EventLogWatcher(query)) {
logger.Info("event_log reading from " + log.log_type + " watching for new events ");
watcher.EventRecordWritten += (o, e) => {
lock (this)
log.new_events_.Add(e.EventRecord);
};
watcher.Enabled = true;
while (!log.disposed_)
{
Thread.Sleep(100);
}
watcher.Enabled = false;
}
} catch (Exception e) {
logger.Error("can't create event log " + log.log_type + "/" + remote_machine_name + " : " + e.Message);
errors_.add("Can't create Log " + log.log_type + " on machine " + remote_machine_name + ", Reason=" + e.Message);
}
logger.Info("event_log reading from " + log.log_type + " watching for new events COMPLETE");
}
public static void HarvestTGTs(int intervalMinutes, string registryBasePath)
{
// First extract all TGTs then monitor the event log (indefinitely) for 4624 logon events
// every 'intervalMinutes' and dumps TGTs JUST for the specific logon IDs (LUIDs) based on the event log.
// On each interval, renew any tickets that are about to expire and refresh the cache.
// End result: every "intervalMinutes" a set of currently valid TGT .kirbi files are dumped to console
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");
return;
}
Console.WriteLine("[*] Action: TGT Harvesting (w/ auto-renewal)");
Console.WriteLine("\r\n[*] Monitoring every {0} minutes for 4624 logon events\r\n", intervalMinutes);
// used to keep track of LUIDs we've already dumped
var seenLUIDs = new Dictionary <ulong, bool>();
// get the current set of TGTs
List <KRB_CRED> creds = LSA.ExtractTGTs(new Interop.LUID());
while (true)
{
// check for 4624 logon events in the past "intervalSeconds"
string queryString = String.Format("*[System[EventID=4624 and TimeCreated[timediff(@SystemTime) <= {0}]]]", intervalMinutes * 60 * 1000);
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())
{
// if there's an event, extract out the logon ID (LUID) for the session
string eventMessage = eventInstance.FormatDescription();
DateTime eventTime = (DateTime)eventInstance.TimeCreated;
int startIndex = eventMessage.IndexOf("New Logon:");
string message = eventMessage.Substring(startIndex);
// extract out relevant information from the event log message
var acctNameExpression = new Regex(string.Format(@"\n.*Account Name:\s*(?<name>.+?)\r\n"));
Match acctNameMatch = acctNameExpression.Match(message);
var acctDomainExpression = new Regex(string.Format(@"\n.*Account Domain:\s*(?<domain>.+?)\r\n"));
Match acctDomainMatch = acctDomainExpression.Match(message);
if (acctNameMatch.Success)
{
var srcNetworkExpression = new Regex(string.Format(@"\n.*Source Network Address:\s*(?<address>.+?)\r\n"));
Match srcNetworkMatch = srcNetworkExpression.Match(message);
string logonName = acctNameMatch.Groups["name"].Value;
string accountDomain = "";
string srcNetworkAddress = "";
try
{
accountDomain = acctDomainMatch.Groups["domain"].Value;
}
catch { }
try
{
srcNetworkAddress = srcNetworkMatch.Groups["address"].Value;
}
catch { }
// ignore SYSTEM logons and other defaults
if (!Regex.IsMatch(logonName, @"SYSTEM|LOCAL SERVICE|NETWORK SERVICE|UMFD-[0-9]+|DWM-[0-9]+|ANONYMOUS LOGON", RegexOptions.IgnoreCase))
{
Console.WriteLine("\r\n[+] {0} - 4624 logon event for '{1}\\{2}' from '{3}'", eventTime, accountDomain, logonName, srcNetworkAddress);
var expression2 = new Regex(string.Format(@"\n.*Logon ID:\s*(?<id>.+?)\r\n"));
Match match2 = expression2.Match(message);
if (match2.Success)
{
try
{
// check if we've seen this LUID before
Interop.LUID luid = new Interop.LUID(match2.Groups["id"].Value);
if (!seenLUIDs.ContainsKey((ulong)luid))
{
seenLUIDs[luid] = true;
// if we haven't seen it, extract any TGTs for that particular logon ID and add to the cache
List <KRB_CRED> newCreds = LSA.ExtractTGTs(luid);
creds.AddRange(newCreds);
}
}
catch (Exception e)
{
Console.WriteLine("[X] Exception: {0}", e.Message);
}
}
}
}
}
for (int i = creds.Count - 1; i >= 0; i--)
{
DateTime endTime = TimeZone.CurrentTimeZone.ToLocalTime(creds[i].enc_part.ticket_info[0].endtime);
DateTime renewTill = TimeZone.CurrentTimeZone.ToLocalTime(creds[i].enc_part.ticket_info[0].renew_till);
// check if the ticket is going to expire before the next interval checkin
if (endTime < DateTime.Now.AddMinutes(intervalMinutes))
{
// check if the ticket's renewal limit will be valid within the next interval
if (renewTill < DateTime.Now.AddMinutes(intervalMinutes))
{
// renewal limit under checkin interval, so remove the ticket from the cache
creds.RemoveAt(i);
}
else
{
// renewal limit after checkin interval, so renew the TGT
string userName = creds[i].enc_part.ticket_info[0].pname.name_string[0];
string domainName = creds[i].enc_part.ticket_info[0].prealm;
Console.WriteLine("[*] Renewing TGT for {0}@{1}", userName, domainName);
byte[] bytes = Renew.TGT(creds[i], false, "", false);
KRB_CRED renewedCred = new KRB_CRED(bytes);
creds[i] = renewedCred;
}
}
}
Console.WriteLine("\r\n[*] {0} - Current usable TGTs:\r\n", DateTime.Now);
LSA.DisplayTGTs(creds);
if (registryBasePath != null)
{
LSA.SaveTicketsToRegistry(creds, registryBasePath);
}
System.Threading.Thread.Sleep(intervalMinutes * 60 * 1000);
}
}
/// <summary>
/// ReadServiceFabricWindowsEventLog().
/// </summary>
public void ReadServiceFabricWindowsEventLog()
{
string sfOperationalLogSource = "Microsoft-ServiceFabric/Operational";
string sfAdminLogSource = "Microsoft-ServiceFabric/Admin";
string systemLogSource = "System";
string sfLeaseAdminLogSource = "Microsoft-ServiceFabric-Lease/Admin";
string sfLeaseOperationalLogSource = "Microsoft-ServiceFabric-Lease/Operational";
var range2Days = DateTime.UtcNow.AddDays(-1);
var format = range2Days.ToString(
"yyyy-MM-ddTHH:mm:ss.fffffff00K",
CultureInfo.InvariantCulture);
var datexQuery = string.Format(
"*[System/TimeCreated/@SystemTime >='{0}']",
format);
// Critical and Errors only.
string xQuery = "*[System/Level <= 2] and " + datexQuery;
// SF Admin Event Store.
var evtLogQuery = new EventLogQuery(sfAdminLogSource, PathType.LogName, xQuery);
using (var evtLogReader = new EventLogReader(evtLogQuery))
{
for (var eventInstance = evtLogReader.ReadEvent();
eventInstance != null;
eventInstance = evtLogReader.ReadEvent())
{
this.Token.ThrowIfCancellationRequested();
this.evtRecordList.Add(eventInstance);
}
}
// SF Operational Event Store.
evtLogQuery = new EventLogQuery(sfOperationalLogSource, PathType.LogName, xQuery);
using (var evtLogReader = new EventLogReader(evtLogQuery))
{
for (var eventInstance = evtLogReader.ReadEvent();
eventInstance != null;
eventInstance = evtLogReader.ReadEvent())
{
this.Token.ThrowIfCancellationRequested();
this.evtRecordList.Add(eventInstance);
}
}
// SF Lease Admin Event Store.
evtLogQuery = new EventLogQuery(sfLeaseAdminLogSource, PathType.LogName, xQuery);
using (var evtLogReader = new EventLogReader(evtLogQuery))
{
for (var eventInstance = evtLogReader.ReadEvent();
eventInstance != null;
eventInstance = evtLogReader.ReadEvent())
{
this.Token.ThrowIfCancellationRequested();
this.evtRecordList.Add(eventInstance);
}
}
// SF Lease Operational Event Store.
evtLogQuery = new EventLogQuery(sfLeaseOperationalLogSource, PathType.LogName, xQuery);
using (var evtLogReader = new EventLogReader(evtLogQuery))
{
for (var eventInstance = evtLogReader.ReadEvent();
eventInstance != null;
eventInstance = evtLogReader.ReadEvent())
{
this.Token.ThrowIfCancellationRequested();
this.evtRecordList.Add(eventInstance);
}
}
// System Event Store.
evtLogQuery = new EventLogQuery(systemLogSource, PathType.LogName, xQuery);
using (var evtLogReader = new EventLogReader(evtLogQuery))
{
for (var eventInstance = evtLogReader.ReadEvent();
eventInstance != null;
eventInstance = evtLogReader.ReadEvent())
{
this.Token.ThrowIfCancellationRequested();
this.evtRecordList.Add(eventInstance);
}
}
}
public static void Monitor4624(int intervalSeconds, string targetUser, string registryBasePath = null)
{
// monitors the event log (indefinitely) for 4624 logon events every 'intervalSeconds' and dumps TGTs JUST for the specific
// logon IDs (LUIDs) based on the event log. Can optionally only extract for a targeted user.
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");
return;
}
// used to keep track of LUIDs we've already dumped
var seenLUIDs = new Dictionary <ulong, bool>();
Console.WriteLine("[*] Action: TGT Monitoring");
Console.WriteLine("[*] Monitoring every {0} seconds for 4624 logon events", intervalSeconds);
if (!String.IsNullOrEmpty(targetUser))
{
Console.WriteLine("[*] Target user : {0}", targetUser);
targetUser = targetUser.Replace("$", "\\$");
}
Console.WriteLine();
while (true)
{
// check for 4624 logon events in the past "intervalSeconds"
string queryString = String.Format("*[System[EventID=4624 and TimeCreated[timediff(@SystemTime) <= {0}]]]", intervalSeconds * 1000);
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())
{
// if there's an event, extract out the logon ID (LUID) for the session
string eventMessage = eventInstance.FormatDescription();
DateTime eventTime = (DateTime)eventInstance.TimeCreated;
int startIndex = eventMessage.IndexOf("New Logon:");
string message = eventMessage.Substring(startIndex);
// extract out relevant information from the event log message
var acctNameExpression = new Regex(string.Format(@"\n.*Account Name:\s*(?<name>.+?)\r\n"));
Match acctNameMatch = acctNameExpression.Match(message);
var acctDomainExpression = new Regex(string.Format(@"\n.*Account Domain:\s*(?<domain>.+?)\r\n"));
Match acctDomainMatch = acctDomainExpression.Match(message);
if (acctNameMatch.Success)
{
var srcNetworkExpression = new Regex(string.Format(@"\n.*Source Network Address:\s*(?<address>.+?)\r\n"));
Match srcNetworkMatch = srcNetworkExpression.Match(message);
string logonName = acctNameMatch.Groups["name"].Value;
string accountDomain = "";
string srcNetworkAddress = "";
try
{
accountDomain = acctDomainMatch.Groups["domain"].Value;
}
catch { }
try
{
srcNetworkAddress = srcNetworkMatch.Groups["address"].Value;
}
catch { }
// ignore SYSTEM logons and other defaults
if (!Regex.IsMatch(logonName, @"SYSTEM|LOCAL SERVICE|NETWORK SERVICE|UMFD-[0-9]+|DWM-[0-9]+|ANONYMOUS LOGON", RegexOptions.IgnoreCase))
{
Console.WriteLine("\r\n[+] {0} - 4624 logon event for '{1}\\{2}' from '{3}'", eventTime, accountDomain, logonName, srcNetworkAddress);
// filter if we're targeting a specific user
if (String.IsNullOrEmpty(targetUser) || (Regex.IsMatch(logonName, targetUser, RegexOptions.IgnoreCase)))
{
var expression2 = new Regex(string.Format(@"\n.*Logon ID:\s*(?<id>.+?)\r\n"));
Match match2 = expression2.Match(message);
if (match2.Success)
{
try
{
// check if we've seen this LUID before
Interop.LUID luid = new Interop.LUID(match2.Groups["id"].Value);
if (!seenLUIDs.ContainsKey((ulong)luid))
{
seenLUIDs[luid] = true;
// if we haven't seen it, extract any TGTs for that particular logon ID
LSA.ListKerberosTicketData(luid, "krbtgt", true, registryBasePath);
}
}
catch (Exception e)
{
Console.WriteLine("[X] Exception: {0}", e.Message);
}
}
}
}
}
}
System.Threading.Thread.Sleep(intervalSeconds * 1000);
}
}
/// <summary>
/// Get the WER entries for VS and VS related EXEs from the Event Log and write them to a file
/// </summary>
internal static void TryWriteWatsonEntriesToFile(string filePath)
{
try
{
// Use a HashSet to make sure the entries we add aren't duplicates (calls the Equals override from FeedbackItemWatsonEntry)
var watsonEntries = new HashSet <FeedbackItemWatsonEntry>();
// We need to search in the Application Event Log, since that's where Watson logs entries
var eventLogQuery = new EventLogQuery(EventLogName, PathType.LogName)
{
// Read events in descending order, so we can get either the last 5 entries or the past day of entries, whichever has a bigger count
ReverseDirection = true
};
var eventLogReader = new EventLogReader(eventLogQuery);
EventRecord eventLogRecord;
var watsonEntriesCount = 0;
while ((eventLogRecord = eventLogReader.ReadEvent()) != null)
{
// We only want the last 5 entries or the past day of entries, whichever has a bigger count
if (IsLastDayOrLastFiveRecentEntry(eventLogRecord, watsonEntriesCount))
{
// Filter the entries by Watson specific ones for VS EXEs
if (IsValidWatsonEntry(eventLogRecord))
{
var entry = new FeedbackItemWatsonEntry(eventLogRecord);
watsonEntries.Add(entry);
// If the entry doesn't have a valid BucketId, we don't want it to count towards the maxCount we send
if (!string.IsNullOrWhiteSpace(GetEventRecordPropertyToString(eventLogRecord, FaultBucketIndex)))
{
watsonEntriesCount++;
}
}
}
else
{
break;
}
}
if (watsonEntries.Any())
{
var watsonEntriesStringBuilder = new StringBuilder();
foreach (var entry in watsonEntries)
{
watsonEntriesStringBuilder.AppendLine($"Event Time (UTC): {entry.EventTime}");
watsonEntriesStringBuilder.AppendLine($"Application Name: {entry.ApplicationName}");
watsonEntriesStringBuilder.AppendLine($"Application Version: {entry.ApplicationVersion}");
watsonEntriesStringBuilder.AppendLine($"Faulting Module: {entry.FaultingModule}");
watsonEntriesStringBuilder.AppendLine($"Faulting Module Version: {entry.FaultingModuleVersion}");
watsonEntriesStringBuilder.AppendLine($"Event Name: {entry.EventName}");
watsonEntriesStringBuilder.AppendLine($"Cab Id: {entry.CabId}");
watsonEntriesStringBuilder.AppendLine($"Fault Bucket: {entry.FaultBucket}");
watsonEntriesStringBuilder.AppendLine($"Hashed Bucket: {entry.HashedBucket}");
watsonEntriesStringBuilder.AppendLine($"Watson Report Id: {entry.WatsonReportId}");
watsonEntriesStringBuilder.AppendLine();
}
File.WriteAllText(filePath, watsonEntriesStringBuilder.ToString());
}
}
catch (Exception ex)
{
File.WriteAllText(filePath, ex.ToString());
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
if (!SecurityUtil.IsHighIntegrity())
{
WriteError("Unable to collect. Must be an administrator/in a high integrity context.");
yield break;
}
var NTLMv1Users = new HashSet <string>();
var NTLMv2Users = new HashSet <string>();
var KerberosUsers = new HashSet <string>();
// grab events from the last X days - 10 for workstations, 30 for "-full" collection
// Always use the user-supplied value, if specified
var lastDays = 10;
if (Shlwapi.IsWindowsServer())
{
lastDays = 1;
}
string?userRegex = null;
if (args.Length >= 1)
{
if (!int.TryParse(args[0], out lastDays))
{
throw new ArgumentException("Argument is not an integer");
}
}
if (args.Length >= 2)
{
userRegex = args[1];
}
WriteVerbose($"Listing 4624 Account Logon Events for the last {lastDays} days.\n");
if (userRegex != null)
{
WriteVerbose($"Username Filter: {userRegex}");
}
var startTime = DateTime.Now.AddDays(-lastDays);
var endTime = DateTime.Now;
var query = $@"*[System/EventID=4624] and *[System[TimeCreated[@SystemTime >= '{startTime.ToUniversalTime():o}']]] and *[System[TimeCreated[@SystemTime <= '{endTime.ToUniversalTime():o}']]]";
var eventsQuery = new EventLogQuery("Security", PathType.LogName, query)
{
ReverseDirection = true
};
var logReader = new EventLogReader(eventsQuery);
WriteHost(" TimeCreated,TargetUser,LogonType,IpAddress,SubjectUsername,AuthenticationPackageName,LmPackageName,TargetOutboundUser");
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
//var subjectUserSid = eventDetail.Properties[0].Value.ToString();
var subjectUserName = eventDetail.Properties[1].Value.ToString();
var subjectDomainName = eventDetail.Properties[2].Value.ToString();
//var subjectLogonId = eventDetail.Properties[3].Value.ToString();
//var targetUserSid = eventDetail.Properties[4].Value.ToString();
var targetUserName = eventDetail.Properties[5].Value.ToString();
var targetDomainName = eventDetail.Properties[6].Value.ToString();
//var targetLogonId = eventDetail.Properties[7].Value.ToString();
//var logonType = eventDetail.Properties[8].Value.ToString();
var logonType = $"{(SECURITY_LOGON_TYPE)(int.Parse(eventDetail.Properties[8].Value.ToString()))}";
//var logonProcessName = eventDetail.Properties[9].Value.ToString();
var authenticationPackageName = eventDetail.Properties[10].Value.ToString();
//var workstationName = eventDetail.Properties[11].Value.ToString();
//var logonGuid = eventDetail.Properties[12].Value.ToString();
//var transmittedServices = eventDetail.Properties[13].Value.ToString();
var lmPackageName = eventDetail.Properties[14].Value.ToString();
lmPackageName = lmPackageName == "-" ? "" : lmPackageName;
//var keyLength = eventDetail.Properties[15].Value.ToString();
//var processId = eventDetail.Properties[16].Value.ToString();
//var processName = eventDetail.Properties[17].Value.ToString();
var ipAddress = eventDetail.Properties[18].Value.ToString();
//var ipPort = eventDetail.Properties[19].Value.ToString();
//var impersonationLevel = eventDetail.Properties[20].Value.ToString();
//var restrictedAdminMode = eventDetail.Properties[21].Value.ToString();
var targetOutboundUserName = "******";
var targetOutboundDomainName = "-";
if (eventDetail.Properties.Count > 22) // Not available on older versions of Windows
{
targetOutboundUserName = eventDetail.Properties[22].Value.ToString();
targetOutboundDomainName = eventDetail.Properties[23].Value.ToString();
}
//var VirtualAccount = eventDetail.Properties[24].Value.ToString();
//var TargetLinkedLogonId = eventDetail.Properties[25].Value.ToString();
//var ElevatedToken = eventDetail.Properties[26].Value.ToString();
// filter out SYSTEM, computer accounts, local service accounts, UMFD-X accounts, and DWM-X accounts (for now)
var userIgnoreRegex = "^(SYSTEM|LOCAL SERVICE|NETWORK SERVICE|UMFD-[0-9]+|DWM-[0-9]+|ANONYMOUS LOGON|" + Environment.MachineName + "\\$)$";
if (userRegex == null && Regex.IsMatch(targetUserName, userIgnoreRegex, RegexOptions.IgnoreCase))
{
continue;
}
var domainIgnoreRegex = "^(NT VIRTUAL MACHINE)$";
if (userRegex == null && Regex.IsMatch(targetDomainName, domainIgnoreRegex, RegexOptions.IgnoreCase))
{
continue;
}
// Handle the user filter
if (userRegex != null && !Regex.IsMatch(targetUserName, userRegex, RegexOptions.IgnoreCase))
{
continue;
}
// Analyze the output
if (logonType == "Network")
{
var accountName = $"{targetDomainName}\\{targetUserName}";
if (authenticationPackageName == "NTLM")
{
switch (lmPackageName)
{
case "NTLM V1":
NTLMv1Users.Add(accountName);
break;
case "NTLM V2":
NTLMv2Users.Add(accountName);
break;
}
}
else if (authenticationPackageName == "Kerberos")
{
KerberosUsers.Add(accountName);
}
}
yield return(new LogonEventsDTO(
eventDetail.TimeCreated?.ToUniversalTime(),
targetUserName,
targetDomainName,
logonType,
ipAddress,
subjectUserName,
subjectDomainName,
authenticationPackageName,
lmPackageName,
targetOutboundUserName,
targetOutboundDomainName
));
}
// TODO: Move all of this into a Foramtter class
if (NTLMv1Users.Count > 0 || NTLMv2Users.Count > 0)
{
WriteHost("\n Other accounts authenticate to this machine using NTLM! NTLM-relay may be possible");
}
if (NTLMv1Users.Count > 0)
{
WriteHost("\n Accounts authenticate to this machine using NTLM v1!");
WriteHost(" You can obtain these accounts' **NTLM** hashes by sniffing NTLM challenge/responses and then cracking them!");
WriteHost(" NTLM v1 authentication is 100% broken!\n");
PrintUserSet(NTLMv1Users);
}
if (NTLMv2Users.Count > 0)
{
WriteHost("\n Accounts authenticate to this machine using NTLM v2!");
WriteHost(" You can obtain NetNTLMv2 for these accounts by sniffing NTLM challenge/responses.");
WriteHost(" You can then try and crack their passwords.\n");
PrintUserSet(NTLMv2Users);
}
if (KerberosUsers.Count > 0)
{
WriteHost("\n The following users have authenticated to this machine using Kerberos.\n");
PrintUserSet(KerberosUsers);
}
}
