private static IEnumerable <IWinEvent> _Find_DomainUserEvent(string[] ComputerName, DateTime StartTime, DateTime EndTime, int MaxEvents, string[] TargetUsers, Dictionary <string, string> Filter, System.Net.NetworkCredential Credential)
{
var Events = new List <IWinEvent>();
foreach (var TargetComputer in ComputerName)
{
var Up = TestConnection.Ping(TargetComputer, 1);
if (Up)
{
var DomainUserEventArgs = new Args_Get_DomainUserEvent
{
ComputerName = new[] { TargetComputer },
StartTime = StartTime,
EndTime = EndTime,
MaxEvents = MaxEvents,
Credential = Credential
};
if (Filter != null || TargetUsers != null)
{
if (TargetUsers != null)
{
GetDomainUserEvent.Get_DomainUserEvent(DomainUserEventArgs).Where(x => TargetUsers.Contains((x is LogonEvent) ? (x as LogonEvent).TargetUserName : (x as ExplicitCredentialLogonEvent).TargetUserName));
}
else
{
var Operator = "or";
foreach (var key in Filter.Keys)
{
if ((key == "Op") || (key == "Operator") || (key == "Operation"))
{
if ((Filter[key].IsRegexMatch("&")) || (Filter[key] == "and"))
{
Operator = "and";
}
}
}
var Keys = Filter.Keys.Where(x => (x != "Op") && (x != "Operator") && (x != "Operation"));
var events = GetDomainUserEvent.Get_DomainUserEvent(DomainUserEventArgs);
foreach (var evt in events)
{
if (Operator == "or")
{
foreach (var Key in Keys)
{
if (evt.GetPropValue <string>(Key).IsRegexMatch(Filter[Key]))
{
Events.Add(evt);
}
}
}
else
{
// and all clauses
foreach (var Key in Keys)
{
if (!evt.GetPropValue <string>(Key).IsRegexMatch(Filter[Key]))
{
break;
}
Events.Add(evt);
}
}
}
}
}
else
{
GetDomainUserEvent.Get_DomainUserEvent(DomainUserEventArgs);
}
}
}
return(Events);
}
public static IEnumerable <IWinEvent> Get_DomainUserEvent(Args_Get_DomainUserEvent args = null)
{
if (args == null)
{
args = new Args_Get_DomainUserEvent();
}
// the XML filter we're passing to Get-WinEvent
var XPathFilter = $@"
<QueryList>
<Query Id=""0"" Path=""Security"">
<!--Logon events-->
<Select Path = ""Security"">
*[
System[
Provider[
@Name='Microsoft-Windows-Security-Auditing'
]
and (Level=4 or Level=0) and (EventID=4624)
and TimeCreated[
@SystemTime>='{args.StartTime.ToUniversalTime().ToString("s")}' and @SystemTime<='{args.EndTime.ToUniversalTime().ToString("s")}'
]
]
]
and
*[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
</Select>
<!-- Logon with explicit credential events -->
<Select Path=""Security"">
*[
System[
Provider[
@Name='Microsoft-Windows-Security-Auditing'
]
and (Level=4 or Level=0) and (EventID=4648)
and TimeCreated[
@SystemTime>='{args.StartTime.ToUniversalTime().ToString("s")}' and @SystemTime<='{args.EndTime.ToUniversalTime().ToString("s")}'
]
]
]
</Select>
<Suppress Path=""Security"">
*[
System[
Provider[
@Name='Microsoft-Windows-Security-Auditing'
]
and
(Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)
]
]
and
*[
EventData[
(
(Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0')
or
Data[@Name='TargetUserName']='******'
or
Data[@Name='TargetUserSID']='S-1-5-18'
)
]
]
</Suppress>
</Query>
</QueryList>
";
var Events = new List <IWinEvent>();
foreach (var Computer in args.ComputerName)
{
EventLogQuery query = new EventLogQuery(@"Security", PathType.LogName, XPathFilter);
EventLogReader reader = new EventLogReader(query);
for (EventRecord Event = reader.ReadEvent(); null != Event; Event = reader.ReadEvent())
{
if (args.ComputerName.Any(x => Event.MachineName.Equals(x, StringComparison.OrdinalIgnoreCase) || Event.MachineName.StartsWith(x, StringComparison.OrdinalIgnoreCase)))
{
var Properties = Event.Properties;
switch (Event.Id)
{
case 4624: // logon event
// skip computer logons, for now...
if (!Event.Properties[5].Value.ToString().EndsWith(@"$"))
{
Events.Add(new LogonEvent
{
ComputerName = Computer,
TimeCreated = Event.TimeCreated,
EventId = Event.Id,
SubjectUserSid = Properties[0].Value.ToString(),
SubjectUserName = Properties[1].Value.ToString(),
SubjectDomainName = Properties[2].Value.ToString(),
SubjectLogonId = Properties[3].Value.ToString(),
TargetUserSid = Properties[4].Value.ToString(),
TargetUserName = Properties[5].Value.ToString(),
TargetDomainName = Properties[6].Value.ToString(),
TargetLogonId = Properties[7].Value.ToString(),
LogonType = Properties[8].Value.ToString(),
LogonProcessName = Properties[9].Value.ToString(),
AuthenticationPackageName = Properties[10].Value.ToString(),
WorkstationName = Properties[11].Value.ToString(),
LogonGuid = Properties[12].Value.ToString(),
TransmittedServices = Properties[13].Value.ToString(),
LmPackageName = Properties[14].Value.ToString(),
KeyLength = Properties[15].Value.ToString(),
ProcessId = Properties[16].Value.ToString(),
ProcessName = Properties[17].Value.ToString(),
IpAddress = Properties[18].Value.ToString(),
IpPort = Properties[19].Value.ToString(),
ImpersonationLevel = Properties[20].Value.ToString(),
RestrictedAdminMode = Properties[21].Value.ToString(),
TargetOutboundUserName = Properties[22].Value.ToString(),
TargetOutboundDomainName = Properties[23].Value.ToString(),
VirtualAccount = Properties[24].Value.ToString(),
TargetLinkedLogonId = Properties[25].Value.ToString(),
ElevatedToken = Properties[26].Value.ToString()
});
}
break;
case 4648: // logon with explicit credential
// skip computer logons, for now...
if (!Properties[5].Value.ToString().EndsWith(@"$") && Properties[11].Value.ToString().IsRegexMatch(@"taskhost\.exe"))
{
Events.Add(new ExplicitCredentialLogonEvent
{
ComputerName = Computer,
TimeCreated = Event.TimeCreated,
EventId = Event.Id,
SubjectUserSid = Properties[0].Value.ToString(),
SubjectUserName = Properties[1].Value.ToString(),
SubjectDomainName = Properties[2].Value.ToString(),
SubjectLogonId = Properties[3].Value.ToString(),
LogonGuid = Properties[4].Value.ToString(),
TargetUserName = Properties[5].Value.ToString(),
TargetDomainName = Properties[6].Value.ToString(),
TargetLogonGuid = Properties[7].Value.ToString(),
TargetServerName = Properties[8].Value.ToString(),
TargetInfo = Properties[9].Value.ToString(),
ProcessId = Properties[10].Value.ToString(),
ProcessName = Properties[11].Value.ToString(),
IpAddress = Properties[12].Value.ToString(),
IpPort = Properties[13].Value.ToString()
});
}
break;
default:
Logger.Write_Warning($@"No handler exists for event ID: {Event.Id}");
break;
}
}
if (Events.Count >= args.MaxEvents)
{
break;
}
}
}
return(Events);
}
public static IEnumerable <IWinEvent> Get_UserEvent(Args_Get_DomainUserEvent args = null)
{
return(GetDomainUserEvent.Get_DomainUserEvent(args));
}
