Tree @06a953b (Download .tar.gz)
- ..
- Brute-AD.ps1
- Brute-LocAdmin.ps1
- Bypass-UAC.ps1
- ConvertTo-Shellcode.ps1
- Cred-Popper.ps1
- CVE-2016-9192.ps1
- Daisy.dll
- dcom.exe
- Decrypt-RDCMan.ps1
- Dump-NTDS.ps1
- Exploit-EternalBlue.ps1
- Get-ComputerInfo.ps1
- Get-CreditCardData.ps1
- Get-FirewallRules.ps1
- Get-GPPAutologon.ps1
- Get-GPPPassword.ps1
- Get-Hash.ps1
- Get-IdleTime.ps1
- Get-InjectedThread.ps1
- Get-IPConfig.ps1
- Get-Keystrokes.ps1
- Get-LAPSPasswords.ps1
- Get-LocAdm.ps1
- Get-MSHotFixes.ps1
- Get-Netstat.ps1
- Get-PassNotExp.ps1
- Get-PassPol.ps1
- Get-RecentFiles.ps1
- Get-ScreenshotAllWindows.ps1
- Get-ServicePerms.ps1
- Get-System.ps1
- Get-TokenElevationType.ps1
- Get-UserInfo.ps1
- Get-UserLogons.ps1
- Get-WLANPass.ps1
- HostEnum.ps1
- Inject-Shellcode.ps1
- InternalMonologue.exe
- Inveigh-Relay.ps1
- Inveigh.exe
- Inveigh.ps1
- Invoke-Arpscan.ps1
- Invoke-DaisyChain.ps1
- Invoke-DCSync.ps1
- Invoke-EDRChecker.ps1
- Invoke-EventVwrBypass.ps1
- Invoke-Hostscan.ps1
- Invoke-InveighUnprivileged.ps1
- Invoke-Kerberoast.ps1
- Invoke-Mimikatz.ps1
- Invoke-MS16-032-Proxy.ps1
- Invoke-MS16-032.ps1
- Invoke-Pbind.ps1
- Invoke-Pipekat.ps1
- Invoke-Portscan.ps1
- Invoke-PowerDump.ps1
- Invoke-PsExec.ps1
- Invoke-PSInject.ps1
- Invoke-PsUACme.ps1
- Invoke-ReflectivePEInjection.ps1
- Invoke-ReverseDnsLookup.ps1
- Invoke-RunAs.ps1
- Invoke-Shellcode.ps1
- Invoke-SMBClient.ps1
- Invoke-SMBExec.ps1
- Invoke-Sniffer.ps1
- Invoke-SqlQuery.ps1
- Invoke-Tater.ps1
- Invoke-TheHash.ps1
- Invoke-TokenManipulation.ps1
- Invoke-URLCheck.ps1
- Invoke-WinRMSession.ps1
- Invoke-WMIChecker.ps1
- Invoke-WMICommand.ps1
- Invoke-WMIEvent.ps1
- Invoke-WMIExec.ps1
- Invoke-WScriptBypassUAC.ps1
- KeePassConfig.ps1
- KeeThief.ps1
- linuxprivchecker.py
- LockLess.exe
- Logger.exe
- MiniDump.ps1
- NamedPipe.ps1
- NamedPipeDaisy.ps1
- NamedPipeProxy.ps1
- New-JScriptShell.ps1
- Out-Minidump.ps1
- PBind.exe
- PortScanner.dll
- PortScanner.ps1
- powercat.ps1
- Powermad.ps1
- PowerUp.ps1
- PowerUpSQL.ps1
- PowerUpSQL_Full.ps1
- powerview.ps1
- PowerView_dev.ps1
- PS.exe
- PwrStatusTracker.dll
- Rubeus.exe
- RunAs-NetOnly.ps1
- RunAs.exe
- RunasCs.exe
- SafetyDump.exe
- SafetyKatz.exe
- Screenshot.dll
- Seatbelt.exe
- Seatbelt.ps1
- Service-Perms.ps1
- Set-LHSTokenPrivilege.ps1
- SExec.exe
- SharpApplocker.exe
- SharpChrome.exe
- SharpCOM.exe
- SharpCookieMonster.exe
- SharpDPAPI.exe
- SharpDump.exe
- SharpEdge.exe
- SharpEDRChecker.exe
- SharPersist.exe
- SharpHound.exe
- SharpHound.ps1
- SharpLogger.exe
- SharpPrinter.exe
- SharpRoast.exe
- SharpSC.exe
- SharpSniper.exe
- SharpSocks.exe
- SharpSocks.ps1
- SharpSploit.dll
- SharpSSDP.exe
- SharpTask.exe
- SharpUp.exe
- SharpView.exe
- SharpWeb.exe
- SharpWMI.exe
- Sherlock.ps1
- Shhmon.exe
- SSLInspectionCheck.ps1
- Stage2-Core.exe
- Stage2-Core.ps1
- SweetPotato.exe
- Test-ADCredential.ps1
- TestProxy.ps1
- Watson.exe
- WExec.exe
- Zippy.ps1
Get-UserLogons.ps1 @06a953b — raw · history · blame
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | <#
.Synopsis
Gets User Logon Events
Author: @m0rv4i
.DESCRIPTION
Lists User Logon Events from an event log and lists them with timestamps and from which hostname.
Events where the hostname is '-' and machine logon events are excluded.
.PARAMETER Newest
Check the newest X events. Defaults to 200.
.PARAMETER ComputerName
Computername to run against using PSRemoting. Defaults to local host.
.PARAMETER ExclusionList
Account names to exclude. Defaults to "SYSTEM", "NETWORK SERVICE", "DWM-1", "LOCAL SERVICE", "UMFD-0", "UMFD-1".
.PARAMETER ServiceAccounts
Whether to logic service accounts or not. Defaults to false.
Service accounts are accounts starting with SVC_, SVC-, svc_ or svc-.
.EXAMPLE
PS C:\> Get-UserLogons
2020-08-17 10:52:40 : BEEROCLOCK\bob -> BEEROCLOCK
2020-08-17 10:52:40 : BEEROCLOCK\bob -> BEEROCLOCK
2020-08-14 19:00:48 : BEEROCLOCK\bob -> BEEROCLOCK
2020-08-14 19:00:48 : BEEROCLOCK\bob -> BEEROCLOCK
2020-08-12 21:00:05 : BEEROCLOCK\bob -> BEEROCLOCK
2020-08-12 21:00:05 : BEEROCLOCK\bob -> BEEROCLOCK
.EXAMPLE
PS C:\> Get-UserLogons -Newest 20000 -ServiceAccounts -ComputerName DC01.DOMAIN.LOCAL
.EXAMPLE
PS C:\> $exclusions = $("SYSTEM", "NETWORK SERVICE", "DWM-1", "LOCAL SERVICE", "UMFD-0", "UMFD-1", "ACCOUNT1", "ACCOUNT2")
PS C:\> Get-UserLogons -ServiceAccounts -ComputerName DC01.DOMAIN.LOCAL -ExclusionList $exclusions
#>
function Get-UserLogons()
{
[CmdletBinding()]
Param
(
[string[]]$ExclusionList = $("SYSTEM", "NETWORK SERVICE", "DWM-1", "LOCAL SERVICE", "UMFD-0", "UMFD-1"),
[int]$Newest = 200,
[switch]$ServiceAccounts = $false,
[string]$ComputerName = ""
)
Write-Output ""
if($ComputerName)
{
$LogonEvents = Get-EventLog -newest $Newest -logname security -instanceid 4624 -ComputerName $ComputerName
}
else
{
$LogonEvents = Get-EventLog -newest $Newest -logname security -instanceid 4624
}
foreach($Events in $LogonEvents)
{
$LogonUsername = $Events.ReplacementStrings[5]
$LogonHostname = $Events.ReplacementStrings[11]
$LogonDomain = $Events.ReplacementStrings[6]
if($ExclusionList -contains $LogonUsername)
{
continue
}
if($LogonHostname -eq "-")
{
continue
}
if($LogonUsername.Trim("`$") -eq $LogonHostname)
{
continue
}
if(!$ServiceAccounts)
{
if($LogonUsername.ToLower().StartsWith("svc_") -or $LogonUsername.ToLower().StartsWith("svc-"))
{
continue
}
}
Write-Output "$($Events.TimeGenerated.ToString("yyyy-MM-dd HH:mm:ss")) : $LogonDomain\$LogonUsername -> $LogonHostname"
}
}
|