8. Windows Log分析(PowerShell登入)

16th鐵人賽

Eugene

2024-09-22 22:25:11

115 瀏覽

分享至

說明

這章觀察另一種PowerShell連入的事件的日誌

作法

嘗試連線失敗，EventLog Security 4703 Token Right Adjusted Events

──(root㉿kali)-[/home/kali]
└─# pwsh
PS /home/kali> Enter-PSSession 192.168.190.129 -Credential pc01 -Authentication Negotiate  

PowerShell credential request
Enter your credentials.
Password for user pc01: ************

Enter-PSSession: Connecting to remote server 192.168.190.129 failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic.

參考微軟說明
https://learn.microsoft.com/zh-tw/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-7.4

啟用WINRM，允許遠端連線

Start-Service WinRm
Enable-PSRemoting –force

防火牆要改成public以外
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or
Private and try again.

PS C:\Users\pc01> Get-NetConnectionProfile
Name             : Unidentified network
InterfaceAlias   : Ethernet1
InterfaceIndex   : 2
NetworkCategory  : Public
IPv4Connectivity : LocalNetwork
IPv6Connectivity : LocalNetwork
...
PS C:\Users\pc01> Set-NetConnectionProfile -Name "Unidentified network" -NetworkCategory Private

加到允選網路連線清單
specpol.msc > Local Security Policy > Local Policies > User　Rights Assignment > Access this computer from the network

Windows EventLog

Get-WinEvent -FilterXml '
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4776 or EventID=4672 or EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
    <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[(EventID=261 or EventID=1149) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
  </Query>
</QueryList>
' |
Select-Object Id, TimeCreated, 
@{Name="LogonType"; Expression={$_.Properties[8].Value}}, 
@{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}

從EventLog看起來，處在連線狀態就會一直有4624 LogonType 3 的事件產生

  Id TimeCreated          LogonType AdditionalInfo
  -- -----------          --------- --------------     
4624 9/22/2024 6:51:25 AM         3 NTLM          
4776 9/22/2024 6:51:25 AM                         
4624 9/22/2024 6:51:25 AM         3 NTLM          
4776 9/22/2024 6:51:25 AM                         
4624 9/22/2024 6:51:24 AM         3 NTLM          
4776 9/22/2024 6:51:24 AM                         
4624 9/22/2024 6:51:24 AM         3 NTLM          
4776 9/22/2024 6:51:24 AM                         
4624 9/22/2024 6:51:24 AM         3 NTLM          
4776 9/22/2024 6:51:24 AM                         
4624 9/22/2024 6:51:23 AM         3 NTLM          
4776 9/22/2024 6:51:23 AM                         
4624 9/22/2024 6:51:23 AM         3 NTLM          
4776 9/22/2024 6:51:23 AM                         
4624 9/22/2024 6:51:23 AM         3 NTLM          
4776 9/22/2024 6:51:23 AM                         
4624 9/22/2024 6:51:22 AM         3 NTLM          
4776 9/22/2024 6:51:22 AM                         
4624 9/22/2024 6:51:22 AM         3 NTLM          
4776 9/22/2024 6:51:22 AM                         
4624 9/22/2024 6:51:22 AM         3 NTLM          
4776 9/22/2024 6:51:22 AM                         
4624 9/22/2024 6:51:21 AM         3 NTLM          
4776 9/22/2024 6:51:21 AM                         
4624 9/22/2024 6:51:21 AM         3 NTLM          
4776 9/22/2024 6:51:21 AM                         
4624 9/22/2024 6:51:20 AM         3 NTLM          
4776 9/22/2024 6:51:20 AM