Module/WindowsEvent-FailedLogon/Main.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
function Use-WEFL () {
    Param(
        $ConfigModule,
        $ConfigSystem
    )                  
       
    # ++++++++++++++++++++++++
    # Internal Function
    function Get-F2BMatch(){
        Param(
            [Parameter(Mandatory=$true)]
            [String]$Pattern,
            [Parameter(Mandatory=$true)]
            [String]$Data
        )
    
        $Content = $Data | Select-String -pattern $Pattern -AllMatches | select -ExpandProperty matches | select -ExpandProperty value
        if($content.Count -eq 2) {
            $Match = $content[1]
        } else {
            $Match =  $content
        }
        $Match = (($Match -split ":")[1]) -replace "\s+",""
    
        return $Match
    }

    # ++++++++++++++++++++++++
    # Get Windows Event
    $AfterDate = (Get-Date).AddSeconds("-$($ConfigModule.Wefl_MaxAttemptTime)")
    $events = Get-WinEvent -FilterHashtable @{ProviderName= "Microsoft-Windows-Security-Auditing"; LogName = "security"; Id = "4625"; StartTime = [datetime]$AfterDate}
    
    # ++++++++++++++++++++++++
    # Format Events
    $ReturnObj =@()
    Foreach($i in $events) {
        # LogonType
        $LogonID = Get-F2BMatch -Pattern "Logon Type:\s+\w+" -Data $i.message
        switch($LogonID) {
            2 { $logontype = "Interactive" }
            3 { $logontype = "Network" }
            7 { $logontype = "Computer Unlocked"}
        }

        $Obj = [PSCustomObject] @{
            Id = $i.RecordId
            Username = Get-F2BMatch -Pattern "account name:\s+\w+" -Data $i.message
            Date = $i.TimeCreated
            IP = Get-F2BMatch -Pattern "Source Network Address:\s+\d{1,3}(\.\d{1,3}){3}" -Data $i.message
            LogonType = $logontype
        }
        $ReturnObj += $Obj
    }

    # ++++++++++++++++++++++++
    # Blocking address
    $IpGroup = $ReturnObj | group IP
    Foreach($Group in $IpGroup) {
        if($Group.Count -ge $ConfigModule.Wefl_MaxAttemptCount){
            if((Test-F2BRegistryIP -IP $Group.Name -Type Black) -eq $false) {
                Add-F2BAddress -IP $Group.Name -Type Black | out-null
                Write-F2BConsole -Type Information -Message "+ Blocking address $($Group.Name)"
            }
        }
    }

    # ++++++++++++++++++++++++
    # Unblocking address
    $BlockedAddress = Get-F2BRegistryIP -Type Black
    foreach ($item in $BlockedAddress.GetEnumerator()) {
        if($item.Value -ne 'Unlimited') {
            if((([DateTime]$item.Value).AddSeconds($ConfigModule.Wefl_BanTime)) -le (get-date)) {
                Remove-F2BAddress -IP $item.Key -Type Black | out-null
                Write-F2BConsole -Type Information -Message "+ Unblocking address $($item.Key)"
            }
        }
    }

    # ++++++++++++++++++++++++
    # Stats
    #if($ConfigModule.Wefl_Stats -eq "1"){
    #
    #}
}