Il est crucial d’assurer la sécurité des systèmes informatiques. L’identification d’activités suspectes, telles que de nombreuses tentatives de connexion échouées, est une mesure importante pour atténuer les menaces potentielles. Le script fourni est écrit en PowerShell et est un outil polyvalent qui aide les professionnels de l’informatique et les MSP à obtenir des informations sur les échecs de connexion.
Contexte
Comprendre les échecs des tentatives de connexion sur un système peut fournir des informations cruciales aux administrateurs informatiques. Ils peuvent détecter d’éventuelles failles de sécurité, surveiller les comportements des utilisateurs et maintenir l’intégrité du système. Ce script PowerShell récupère efficacement ces données, offrant ainsi une solution optimale aux professionnels. Cet outil est d’une importance considérable. Face à l’augmentation des menaces de cybersécurité, il est essentiel pour les MSP et les professionnels de l’informatique de disposer d’une méthode efficace pour détecter les anomalies au niveau des connexions des utilisateurs.
Le script
#Requires -Version 3.0 -RunAsAdministrator
<#
.SYNOPSIS
Returns the number of recent failed login attempts.
.DESCRIPTION
Returns the number of recent failed login attempts of all users or of a specific user. If a user is specified then just a number is returned.
.EXAMPLE
No parameters needed.
Returns all users, of the local machine, with a could of failed login attempts.
Output Example:
UserName FailedLoginAttempts
-------- -------------------
Fred 4
Bob 0
.EXAMPLE
-UserName "Fred"
Returns the number of failed login attempts of the user Fred on the local machine.
Output Example:
4
.EXAMPLE
-ComputerName "FredPC" -UserName "Fred"
Returns the number of failed login attempts of the user Fred on the computer named FredPC.
Output Example:
4
.EXAMPLE
-ComputerName "FredPC" -UserName "Fred" -Detailed
Returns the number of failed login attempts of the user Fred on the computer named FredPC, but will more details of each failed and successful logins.
Output Example:
TimeGenerated : 10/18/2019 7:52:43 AM
EventID : 4624
Category : 12544
ADUsername : Fred
Domain : FredPC
UserSID : S-1-0-0
Workstation : -
SourceIP : -
Port : -
FailureReason : Interactive
FailureStatus : Incorrect password
FailureSubStatus: Other
.EXAMPLE
PS C:> Monitor-Failed-Password-Attempts.ps1 -ComputerName "FredPC" -UserName "Fred"
Returns the number of failed login attempts of the user Fred on the computer named FredPC.
Output Example:
4
.OUTPUTS
System.Int32 Number of failed login attempts.
.OUTPUTS
PSCustomObject List of user names and a count of failed login attempts.
.NOTES
Minimum OS Architecture Supported: Windows 7, Windows Server 2012
If ComputerName is specified, then be sure that the computer that this script is running on has network and permissions to access the Event Log on the remote computer.
Release Notes:
Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/fr/conditions-dutilisation
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
ManageUsers
#>
param (
# The name of a remote computer to get event logs for failed logins
[Parameter(Mandatory = $false)]
[String]
$ComputerName = [System.Net.Dns]::GetHostName(),
# A username
[Parameter(Mandatory = $false)]
[String]
$UserName,
# Returns all relevant events, sorted by TimeGenerated
[Switch]
$Detailed
)
# Support functions
# Returns the matching FailureReason like Incorrect password
function Get-FailureReason {
Param($FailureReason)
switch ($FailureReason) {
'0xC0000064' { "Account does not exist"; break; }
'0xC000006A' { "Incorrect password"; break; }
'0xC000006D' { "Incorrect username or password"; break; }
'0xC000006E' { "Account restriction"; break; }
'0xC000006F' { "Invalid logon hours"; break; }
'0xC000015B' { "Logon type not granted"; break; }
'0xc0000070' { "Invalid Workstation"; break; }
'0xC0000071' { "Password expired"; break; }
'0xC0000072' { "Account disabled"; break; }
'0xC0000133' { "Time difference at DC"; break; }
'0xC0000193' { "Account expired"; break; }
'0xC0000224' { "Password must change"; break; }
'0xC0000234' { "Account locked out"; break; }
'0x0' { "0x0"; break; }
default { "Other"; break; }
}
}
function Get-LogonType {
Param($LogonType)
switch ($LogonType) {
'0' { 'Interactive'; break; }
'2' { 'Interactive'; break; }
'3' { 'Network'; break; }
'4' { 'Batch'; break; }
'5' { 'Service'; break; }
'6' { 'Proxy'; break; }
'7' { 'Unlock'; break; }
'8' { 'Networkcleartext'; break; }
'9' { 'NewCredentials'; break; }
'10' { 'RemoteInteractive'; break; }
'11' { 'CachedInteractive'; break; }
'12' { 'CachedRemoteInteractive'; break; }
'13' { 'CachedUnlock'; break; }
Default {}
}
}
#-Newest $Records
$Events = Get-EventLog -ComputerName $ComputerName -LogName 'security' -InstanceId 4625, 4624 | Sort-Object -Property TimeGenerated | ForEach-Object {
if ($_.InstanceId -eq 4625) {
$_ | Select-Object -Property @(
@{Label = 'TimeGenerated'; Expression = { $_.TimeGenerated } },
@{Label = 'EventID'; Expression = { $_.InstanceId } },
@{Label = 'Category'; Expression = { $_.CategoryNumber } },
@{Label = 'Username'; Expression = { $_.ReplacementStrings[5] } },
@{Label = 'Domain'; Expression = { $_.ReplacementStrings[6] } },
@{Label = 'UserSID'; Expression = { (($_.Message -Split 'rn' | Select-String 'Security ID')[1] -Split 's+')[3] } },
# @{Label = 'UserSID'; Expression = { $_.ReplacementStrings[0] } },
@{Label = 'Workstation'; Expression = { $_.ReplacementStrings[13] } },
@{Label = 'SourceIP'; Expression = { $_.ReplacementStrings[19] } },
@{Label = 'Port'; Expression = { $_.ReplacementStrings[20] } },
@{Label = 'LogonType'; Expression = { $_.ReplacementStrings[8] } },
@{Label = 'FailureStatus'; Expression = { Get-FailureReason($_.ReplacementStrings[7]) } },
@{Label = 'FailureSubStatus'; Expression = { Get-FailureReason($_.ReplacementStrings[9]) } }
)
}
elseif ($_.InstanceId -eq 4624 -and (Get-LogonType($_.ReplacementStrings[8])) -notlike 'Service') {
$_ | Select-Object -Property @(
@{Label = 'TimeGenerated'; Expression = { $_.TimeGenerated } },
@{Label = 'EventID'; Expression = { $_.InstanceId } },
@{Label = 'Category'; Expression = { $_.CategoryNumber } },
@{Label = 'Username'; Expression = { $_.ReplacementStrings[5] } },
@{Label = 'Domain'; Expression = { $_.ReplacementStrings[6] } },
@{Label = 'UserSID'; Expression = { $_.ReplacementStrings[0] } },
@{Label = 'Workstation'; Expression = { $_.ReplacementStrings[11] } },
@{Label = 'SourceIP'; Expression = { $_.ReplacementStrings[18] } },
@{Label = 'Port'; Expression = { $_.ReplacementStrings[19] } },
@{Label = 'LogonType'; Expression = { Get-LogonType($_.ReplacementStrings[8]) } },
@{Label = 'LogonID'; Expression = { Get-FailureReason($_.ReplacementStrings[7]) } },
@{Label = 'LogonProcess'; Expression = { Get-FailureReason($_.ReplacementStrings[9]) } }
)
}
}
if ($Detailed) {
if ($UserName) {
$Events | Where-Object {
$_.Username -like $UserName
}
}
else {
$Events | Where-Object {
$_.Username -notlike "DWM*" -and
$_.Username -notlike "UMFD*" -and
$_.Username -notlike "SYSTEM"
}
}
}
else {
$UserNames = if ($UserName) {
($Events | Select-Object -Property Username -Unique).Username | Where-Object {
$_ -like "$UserName"
}
}
else {
($Events | Select-Object -Property Username -Unique).Username | Where-Object {
$_ -notlike "DWM*" -and
$_ -notlike "UMFD*" -and
$_ -notlike "SYSTEM"
}
}
$UserNames | ForEach-Object {
$CurrentUserName = $_
$FailedLoginCount = 0
for ($i = 0; $i -lt $Events.Count; $i++) {
if ($Events[$i].EventID -eq 4625 -and $Events[$i].Username -like $CurrentUserName) {
# User failed to login X times
# Count the number of failed logins
$FailedLoginCount++
}
elseif ($Events[$i].EventID -eq 4624 -and $Events[$i].Username -like $CurrentUserName) {
# User logged in successfully
# Reset the number of failed logins to 0
$FailedLoginCount = 0
}
}
if ($UserName) {
# If a UserName was specified, then return only the failed login count
$FailedLoginCount
}
else {
# If no UserName was specified, then return the user name and failed login count
[PSCustomObject]@{
UserName = $CurrentUserName
FailedLoginAttempts = $FailedLoginCount
}
}
}
}
|
#Requires -Version 3.0 -RunAsAdministrator
<#
.SYNOPSIS
Returns the number of recent failed login attempts.
.DESCRIPTION
Returns the number of recent failed login attempts of all users or of a specific user. If a user is specified then just a number is returned.
.EXAMPLE
No parameters needed.
Returns all users, of the local machine, with a could of failed login attempts.
Output Example:
UserName FailedLoginAttempts
-------- -------------------
Fred 4
Bob 0
.EXAMPLE
-UserName "Fred"
Returns the number of failed login attempts of the user Fred on the local machine.
Output Example:
4
.EXAMPLE
-ComputerName "FredPC" -UserName "Fred"
Returns the number of failed login attempts of the user Fred on the computer named FredPC.
Output Example:
4
.EXAMPLE
-ComputerName "FredPC" -UserName "Fred" -Detailed
Returns the number of failed login attempts of the user Fred on the computer named FredPC, but will more details of each failed and successful logins.
Output Example:
TimeGenerated : 10/18/2019 7:52:43 AM
EventID : 4624
Category : 12544
ADUsername : Fred
Domain : FredPC
UserSID : S-1-0-0
Workstation : -
SourceIP : -
Port : -
FailureReason : Interactive
FailureStatus : Incorrect password
FailureSubStatus: Other
.EXAMPLE
PS C:> Monitor-Failed-Password-Attempts.ps1 -ComputerName "FredPC" -UserName "Fred"
Returns the number of failed login attempts of the user Fred on the computer named FredPC.
Output Example:
4
.OUTPUTS
System.Int32 Number of failed login attempts.
.OUTPUTS
PSCustomObject List of user names and a count of failed login attempts.
.NOTES
Minimum OS Architecture Supported: Windows 7, Windows Server 2012
If ComputerName is specified, then be sure that the computer that this script is running on has network and permissions to access the Event Log on the remote computer.
Release Notes:
Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
ManageUsers
#>
param (
# The name of a remote computer to get event logs for failed logins
[Parameter(Mandatory = $false)]
[String]
$ComputerName = [System.Net.Dns]::GetHostName(),
# A username
[Parameter(Mandatory = $false)]
[String]
$UserName,
# Returns all relevant events, sorted by TimeGenerated
[Switch]
$Detailed
)
# Support functions
# Returns the matching FailureReason like Incorrect password
function Get-FailureReason {
Param($FailureReason)
switch ($FailureReason) {
'0xC0000064' { "Account does not exist"; break; }
'0xC000006A' { "Incorrect password"; break; }
'0xC000006D' { "Incorrect username or password"; break; }
'0xC000006E' { "Account restriction"; break; }
'0xC000006F' { "Invalid logon hours"; break; }
'0xC000015B' { "Logon type not granted"; break; }
'0xc0000070' { "Invalid Workstation"; break; }
'0xC0000071' { "Password expired"; break; }
'0xC0000072' { "Account disabled"; break; }
'0xC0000133' { "Time difference at DC"; break; }
'0xC0000193' { "Account expired"; break; }
'0xC0000224' { "Password must change"; break; }
'0xC0000234' { "Account locked out"; break; }
'0x0' { "0x0"; break; }
default { "Other"; break; }
}
}
function Get-LogonType {
Param($LogonType)
switch ($LogonType) {
'0' { 'Interactive'; break; }
'2' { 'Interactive'; break; }
'3' { 'Network'; break; }
'4' { 'Batch'; break; }
'5' { 'Service'; break; }
'6' { 'Proxy'; break; }
'7' { 'Unlock'; break; }
'8' { 'Networkcleartext'; break; }
'9' { 'NewCredentials'; break; }
'10' { 'RemoteInteractive'; break; }
'11' { 'CachedInteractive'; break; }
'12' { 'CachedRemoteInteractive'; break; }
'13' { 'CachedUnlock'; break; }
Default {}
}
}
#-Newest $Records
$Events = Get-EventLog -ComputerName $ComputerName -LogName 'security' -InstanceId 4625, 4624 | Sort-Object -Property TimeGenerated | ForEach-Object {
if ($_.InstanceId -eq 4625) {
$_ | Select-Object -Property @(
@{Label = 'TimeGenerated'; Expression = { $_.TimeGenerated } },
@{Label = 'EventID'; Expression = { $_.InstanceId } },
@{Label = 'Category'; Expression = { $_.CategoryNumber } },
@{Label = 'Username'; Expression = { $_.ReplacementStrings[5] } },
@{Label = 'Domain'; Expression = { $_.ReplacementStrings[6] } },
@{Label = 'UserSID'; Expression = { (($_.Message -Split 'rn' | Select-String 'Security ID')[1] -Split 's+')[3] } },
# @{Label = 'UserSID'; Expression = { $_.ReplacementStrings[0] } },
@{Label = 'Workstation'; Expression = { $_.ReplacementStrings[13] } },
@{Label = 'SourceIP'; Expression = { $_.ReplacementStrings[19] } },
@{Label = 'Port'; Expression = { $_.ReplacementStrings[20] } },
@{Label = 'LogonType'; Expression = { $_.ReplacementStrings[8] } },
@{Label = 'FailureStatus'; Expression = { Get-FailureReason($_.ReplacementStrings[7]) } },
@{Label = 'FailureSubStatus'; Expression = { Get-FailureReason($_.ReplacementStrings[9]) } }
)
}
elseif ($_.InstanceId -eq 4624 -and (Get-LogonType($_.ReplacementStrings[8])) -notlike 'Service') {
$_ | Select-Object -Property @(
@{Label = 'TimeGenerated'; Expression = { $_.TimeGenerated } },
@{Label = 'EventID'; Expression = { $_.InstanceId } },
@{Label = 'Category'; Expression = { $_.CategoryNumber } },
@{Label = 'Username'; Expression = { $_.ReplacementStrings[5] } },
@{Label = 'Domain'; Expression = { $_.ReplacementStrings[6] } },
@{Label = 'UserSID'; Expression = { $_.ReplacementStrings[0] } },
@{Label = 'Workstation'; Expression = { $_.ReplacementStrings[11] } },
@{Label = 'SourceIP'; Expression = { $_.ReplacementStrings[18] } },
@{Label = 'Port'; Expression = { $_.ReplacementStrings[19] } },
@{Label = 'LogonType'; Expression = { Get-LogonType($_.ReplacementStrings[8]) } },
@{Label = 'LogonID'; Expression = { Get-FailureReason($_.ReplacementStrings[7]) } },
@{Label = 'LogonProcess'; Expression = { Get-FailureReason($_.ReplacementStrings[9]) } }
)
}
}
if ($Detailed) {
if ($UserName) {
$Events | Where-Object {
$_.Username -like $UserName
}
}
else {
$Events | Where-Object {
$_.Username -notlike "DWM*" -and
$_.Username -notlike "UMFD*" -and
$_.Username -notlike "SYSTEM"
}
}
}
else {
$UserNames = if ($UserName) {
($Events | Select-Object -Property Username -Unique).Username | Where-Object {
$_ -like "$UserName"
}
}
else {
($Events | Select-Object -Property Username -Unique).Username | Where-Object {
$_ -notlike "DWM*" -and
$_ -notlike "UMFD*" -and
$_ -notlike "SYSTEM"
}
}
$UserNames | ForEach-Object {
$CurrentUserName = $_
$FailedLoginCount = 0
for ($i = 0; $i -lt $Events.Count; $i++) {
if ($Events[$i].EventID -eq 4625 -and $Events[$i].Username -like $CurrentUserName) {
# User failed to login X times
# Count the number of failed logins
$FailedLoginCount++
}
elseif ($Events[$i].EventID -eq 4624 -and $Events[$i].Username -like $CurrentUserName) {
# User logged in successfully
# Reset the number of failed logins to 0
$FailedLoginCount = 0
}
}
if ($UserName) {
# If a UserName was specified, then return only the failed login count
$FailedLoginCount
}
else {
# If no UserName was specified, then return the user name and failed login count
[PSCustomObject]@{
UserName = $CurrentUserName
FailedLoginAttempts = $FailedLoginCount
}
}
}
}
Accédez à plus de 700 scripts dans le Dojo NinjaOne
Description détaillée du script
Le script récupère les données des journaux d’événements d’un ordinateur donné, en ciblant des ID d’événements spécifiques qui représentent des tentatives de connexion échouées ou réussies.
- Paramètres: Le script commence par définir des paramètres tels que ComputerName, UserName et Detailed. Cela permet à l’utilisateur de spécifier la machine, l’utilisateur et le niveau de détail des tentatives de connexion.
- Fonctions: Deux fonctions, Get-FailureReason et Get-LogonType, traduisent les informations codées des journaux d’événements en données lisibles concernant le type de connexion et la raison de l’échec de la connexion.
- Recherche d’événements: Le script récupère ensuite les journaux d’événements et les filtre pour ne conserver que les informations nécessaires. Il faut sélectionner les instances avec les ID d’événement pertinents.
- Traitement: Selon que des données détaillées sont demandées ou non, le script fournit une analyse détaillée de chaque tentative de connexion ou un résumé des échecs pour chaque utilisateur.
Cas d’utilisation potentiels
Imaginez un administrateur informatique dans une entreprise de taille moyenne. Récemment, le service informatique a constaté une augmentation du nombre de tentatives de connexion échouées, en particulier en dehors des heures de travail. Grâce à ce script, l’administrateur peut rapidement vérifier quels sont les utilisateurs dont les tentatives de connexion ont échoué et à quelle fréquence. En constatant qu’un seul compte d’utilisateur avait fait l’objet de plusieurs tentatives infructueuses dans un court laps de temps, ils ont pu conclure que ce compte pouvait avoir été ciblé. Ainsi, le script permet une détection précoce et une remédiation rapide.
Approche alternative
Il existe plusieurs méthodes pour suivre les échecs des tentatives de connexion. L’audit de sécurité intégré à Windows, par exemple, vous permet de consulter les journaux de sécurité via l’Observateur d’événements. Bien que cette approche soit simple, elle peut prendre du temps. Notre script PowerShell simplifie le processus, offrant une solution plus efficace et personnalisable.
FAQ
- Comment le script identifie-t-il un échec de connexion ?
Le script recherche des ID d’événements spécifiques dans le journal des événements, tels que 4625 pour les échecs de connexion. - Puis-je récupérer des données à partir d’une machine distante ?
Oui, en fournissant le paramètre ComputerName, vous pouvez obtenir des données d’un ordinateur distant.
Implications
En connaissant le nombre de tentatives de connexion échouées, les administrateurs informatiques peuvent anticiper les failles de sécurité. Les anomalies dans les habitudes de connexion sont souvent un signe précoce d’activité malveillante. Par conséquent, en agissant sur ces données, les professionnels peuvent renforcer leurs systèmes contre les menaces potentielles.
Recommandations
- Assurez-vous que vous disposez des autorisations nécessaires pour récupérer les journaux d’événements.
- Exécutez régulièrement le script, en particulier pour les systèmes contenant des informations sensibles.
- Examinez tous les cas d’échec de connexion et informez les utilisateurs concernés.
Conclusions
Les outils tels que notre script PowerShell sont essentiels face à l’augmentation des cyber-menaces. Pour une solution de sécurité complète, des plateformes telles que NinjaOne peuvent être intégrées, assurant une surveillance et une gestion en temps réel. NinjaOne, associé à des scripts proactifs tels que celui-ci, constitue une défense supplémentaire contre les cybermenaces.
