• Account Name
• DateTime 
• Type  ( Interactive,Network,Unlock)

The script is composed of 2 functions:

• Find-Matches
• Query-SecurityLog

Query-SecurityLog is the main function and is responsible for creating and outputing the custom object.  Find-Matches is a helper function used to parse the event log message property for the following pattern: “Account Name:      SomeUserName”.    Prior to incorporating the Find-Matches function I had used the -Match operator but then realized that pattern was referenced twice  in the message and that the -Match operator returns only the first matching expression.  So, if you need to find more than one occurrence of a pattern in raw text, you have to switch over to the RegEx object underlying the -Match operator and use it directly.

This left me with 2 possible option that could be used to discover one or more matching values:

• Select-String (as used in Find-Matches)
• [regex]

The Find-Matches function was something I already had in my repository of scripts so I went that route, however after reading Chapter 13: Text and Regular Expression in the Powershell.com ebook I realized this could of been done with less code by using [regex].

$Pattern = [regex]"(?i)\baccount name:\s+\w+\b"
$Content = $Pattern.matches($i.message) | select -prop value | %{$_.value}

The example below demonstrates how Select-String is used in the Find-Matches function to output all matching patterns:

I then used an if\else statemtment block to determine  how many matches were returned and then set the $account parameter accordingly.

if($content.Count -eq 2) {
$account = $content[1]} else {$account =  $content }

 I was also suprised to see just how many non-user account logon events were recorded and decided to remove any events that referenced the accounts below:

• System
• IUSER
• LOCAL
• NETWORK
• $ENV:Computername

As well as filter the events based on the following Logon Types and assign the $logontype variable accordingly:

• Interactive (2)
• Network (3)
• Computer Unlocked (7)

This was done using the following code:

$notmatch = "System|IUSR|LOCAL|NETWORK"
if($account -notmatch $notmatch)  {                        

    if($i.Message | Select-String -Pattern "Logon Type:\s+[2]") {
    $logontype = "Interactive" }
    if($i.Message | Select-String -Pattern "Logon Type:\s+[3]") {
    $logontype = "Network" }
    if($i.Message | Select-String -Pattern "Logon Type:\s+[7]") {
    $logontype = "Computer Unlocked" }
    }

It was then just a matter of creating and populating the custom object.  There are 2 ways to populate an object once created.  One way is to create the object and then use the Add-Member cmdlet to populate it and the other is to use the -Property property along with splatting ( @{} ).

• $Obj | Add-Member -Noteproperty NameOfProperty  ValueOfProperty
• -Property @{ NameOfProperty = “Value” }

I choose to go with the Splatting option as it requires less code.

$obj = New-Object PSObject -Property @{
       User = $user
       Date = $Date
       LogonType = $LogonType
       }

 The end result was the following code. 

Function Find-Matches {                        

 Param($Pattern)
 Process {
  $_ | Select-String -pattern $Pattern -AllMatches |
   select -ExpandProperty matches |
   select -ExpandProperty value
  }
 }                        

Function Query-SecurityLog {               

    Param(
        [int]$MaxEvents,
        [array]$global:Users = @(),
        [string]$Comp = $env:computername,
        $notmatch = "System|IUSR|LOCAL|NETWORK"            

        )                 

    if($MaxEvents)
    { $events = Get-WinEvent -LogName security -MaxEvents $MaxEvents |
    Where-Object{$_.id -eq "4624"}
    } Else {  $events = Get-WinEvent -LogName security  |
    Where-Object{$_.id -eq "4624"}}            

    Foreach($i in $events) {                        

    $content = $i.message| Find-Matches -Pattern "account name:\s+\w+"
    if($content.Count -eq 2) {
    $account = $content[1]} else {$account =  $content }
    $account = (($account -split ":")[1]) -replace "\s+",""                        

    if($account -notmatch $notmatch) {                        

        if($i.Message | Select-String -Pattern "Logon Type:\s+[2]") {
        $logontype = "Interactive" }
        if($i.Message | Select-String -Pattern "Logon Type:\s+[3]") {
        $logontype = "Network" }
        if($i.Message | Select-String -Pattern "Logon Type:\s+[7]") {
        $logontype = "Computer Unlocked" }                        

   $user = $account
   $Date = $i.TimeCreated
   $obj = New-Object PSObject -Property @{
       User = $user
       Date = $Date
       LogonType = $LogonType
       }            

  $Global:Users += $Obj                        

       }
    }                        

 write-output $Global:Users | Select User,Date,LogonType |
             Sort Date -Descending | Format-Table -Auto
}                        

Query-SecurityLog -MaxEvents 1000

The output of Query-SecurityLog  is:

(Get-Eventlog -List | Select -First 1).Gettype() | FT -auto
(Get-WinEvent -Listlog Application).Gettype() | FT -auto

Both produce different objects, Eventlog and EventLogConfiguration.  The output of these objects is associated with a powershell formating file (.ps1xml) which defines the properties they will display.

The example below shows the output as it pertains to Get-Eventlog and Get-Winevent.

(Get-Eventlog -List | Select -First 1)
(Get-WinEvent -Listlog Application)

Although they both reference the same event log (Application) they are configured to display different properties, even though some of them reference the same values, like Log and LogName or Entries and RecordCount.

I then was curious which formatting files were associate with each object type, so I decided to view which .ps1xml files existed and ran the following command to browse the $pshome directory and filter for only *.ps1xml files.

dir $pshome\* -include *.ps1xml

My next step was to parse these files using Select-String  for references to the object types (Eventlog and EventLogConfiguration) but decided that the process should be automated and created a function that would create a custom object with the properties of my choosing.   This would also be useful to demo for the workshop I’m putting together called “Using Powershell to View Events and Event Logs” (not sure I did the title so it may change shortly).

Anyway, the result of all this was the creation of the Get-EventLogBaseObjects function.

Function Get-EventLogBaseObjects {
 $Array = "Get-EventLog","Get-WinEvent"
 $global:newarray =@()                                                

     Switch ($Array) {                                                

 "Get-Eventlog" {
    $GetEventLog = (get-eventlog -list | Select -first 1).gettype()
    $XMLFile = Select-String -Path $PSHOME\*.ps1xml -Pattern $GetEventlog |
        Select -First 1
    $Obj = New-Object PSObject -Property @{
            Cmdlet = "Get-Eventlog"
            SystemType = $GetEventLog.UnderlyingSystemType
            XMLFile = $XMLFile.filename
            }
    $global:newarray += $obj
    }                                    

 "Get-WinEvent" {
    $GetWinEvent = (Get-WinEvent -Listlog Application).gettype()
    $XMLFile = Select-String -Path $PSHOME\*.ps1xml -Pattern $GetWinEvent |
        Select -First 1
    $Obj = New-Object PSObject -Property @{
            Cmdlet = "Get-WinEvent"
            SystemType = $GetWinEvent.UnderlyingSystemType
            XMLFile = $XMLFile.filename
            }
    $global:newarray += $obj
     }
 }
 write-output $global:NewArray | Select Cmdlet,SytemType,XMLFile |
        Format-Table -AutoSize
}                        

Get-EventLogBaseObjects

So upon doing a google search I came across the following article PowerShell Deep Dive: Using $MyInvocation by Kirk Munro which went into great detail on how to use the $MyInvocation variable to make a similiar distinction.  From that article I came up with  the following script to demo $MyInvocation.  It includes 4 functions.  The one that anaylzes the pipeline input is Out-Name.   Here is the script…

Function Get-Svc {
      Get-Service | select -First 2
    }
Function Get-Proc {
      Get-Process | Select -First 2
    }
Function Get-File {
      GCI c:\ | Select -First 2
    }            

Function Out-Name {
    param($name)            

    Begin {
       $global:Invocation = $MyInvocation.line
    }            

    Process{
       if( $global:Invocation -match "Get-Svc" ) {
       $_.name
       }
       Elseif ( $global:Invocation -match "Get-Proc" ) {
       $_.vm
       }
       Else { Write-Host "Get-Svc was not used" }
    }
  }            

Get-Svc | out-Name
#Get-Proc | out-name
#Get-File | Out-Name

The script was created soley to demo $MyInvocation but could be altered (as with any script) to make it fit your needs.

There are 5 available scopes that can be configured using the policies above and they can viewed by running Get-Executionpolicy -List.

Powershell evaluates the current execution policy based on scope  precedence, with MachinePolicy being the highest and LocalMachine the lowest.   Both MachinePolicy and UserPolicy can only be configured via Group Policy and are located in Computer or Users Configuration\Policies\Administrative Templates\Windows Components\Windows Powershell.   Both GPO scopes can only be configured to use Unrestricted, RemoteSigned and AllSigned which makes them more restricted.  The remaining scopes can take advantage of all policies with Bypass being the most lenient.   By default all scopes are Undefined which set’s the execution policy to Restricted thereby no scripts are allowed to run.   The execution policy can be configured for the current scope by using Set-Executionpolicy which defines the LocalMachine scope.

As you can ssee I’ve changed the default scope to RemoteSigned, which permits local scripts to run but requires scripts downloaded from the Internet to be digitally signed.  It’s possible to change the CurrentUser scope by using the -Scope parameter.  Below I’ve changed the scope for the CurrentUser to Bypass.

This now permits the current user the ability to run all scripts but all other users will need to have remote scripts digitaly signed.   I recently needed to execute a powershell script in the All Programs\Startup folder on a machine that is running the default execution policy of Restricted.   This was possible by creating a .bat file that included the following line of code:

Powershell -executionpolicy bypass -file “C:\test\install.ps1″

This runs the in the Process scope and affects only the current Powershell session.  The execution policy is stored in the $PSExecutionPolicyPreference Environmental variable.  This value is deleted when the session in which the policy is set is closed.

I  tried to use functions to perform these tasks which I then had the students dot source (. ./name.ps1) to import then into the current Powershell console.   The functions included Help and Examples which could be copied\pasted for ease of use.   Most of the code was “on point” but there were a few syntax errors I missed along the way, which have now been resolved.

Below is the “Server Migration” script.

Function Migrate-ServerSettings {

<#

.SYNOPSIS

The Migrate-ServerSettings function was created to export\import the DHCP service\configurations using the

“Microsoft Windows Server Migration Tools”.  It queries the existence of several required components and

installs then if needed.  It performs the following

            1.  Queries Get-Command for “Get-Windowsfeature” and if not found runs “Import-Module ServerManager”

            2.  Queries Get-Windowsfeature for “Migration” and if not found runs “Add-WindowsFeature Migration”

            3.  Queries Get-Pssnapin for “Microsoft.Windows.Servermanager.Migration” and if not found runs “Add-PSSnapinMicrosoft.Windows.Servermanager.Migration”

            4.  Queries the DHCPServer service and stops the service if running

            5.  Evaluates $Migrate variable and if value is export runs “Export-SmigServerSetting”.  If value is import runs “Import-SmigServerSetting”

I’ve included some Write-Debug lines to troubleshoot any issue with the $service variable as the paramater value you will use is

DHCP, but the service name is DHCPServer.  The script would have to be adjusted to accomodate other services.

.EXAMPLE

Migrate-ServerSettings -Service DHCP -Path “\\NYC-DC1.contoso.com\export” -Migrate Export

.EXAMPLE

Migrate-ServerSettings -Service DHCP -Path “\\NYC-DC1.contoso.com\export” -Migrate Import

#>

Param(

    [string]$Service,

    [string]$Path,

    [string]$migrate

    )

if(!(get-command * | where{$_.name -eq “get-windowsfeature”})) {

    write-host “`nServerManager Module being installed`n” -Fore Yellow

    import-module servermanager} else {

        write-host “`nServerManager Module already installed`n” -fore Green

        }

if(!(get-windowsfeature -name Migration).installed -eq “False”) {

    write-host “Installing Feature ‘Windows Server Migration Tools`n” -Fore Yellow

    add-windowsfeature Migration} else {

        write-host “Windows Server Migration Tools Already Installed`n” -fore Green

        }

if(!(get-pssnapin | where{$_.name -like “*Migration*”})) {

    write-host “Importing Microsoft.WIndows.ServerManager.Migration Snapin`n” -fore Yellow

    Add-PSSnapin Microsoft.Windows.ServerManager.Migration} else {

        write-host “Microsoft.WIndows.ServerManager.Migration Snapin Already Imported`n” -fore Green

        }

$svc = $service + “server”

if(get-service | where{$_.name -like “$svc”}) {

    if ((get-service $svc).status -eq “Running”) {stop-service $svc -force}

    }

write-debug “‘$service is $service”

if($migrate -eq “export”) { Export-SmigServerSetting -featureID $Service -path $path -Verbose

    } else { Import-SmigServerSetting -featureID $Service -path $path -Verbose }

     } #end function

Let’s take a look at the available modules for import on this machine.

Get-Module -ListAvailable

 
The box I’m running is Server 2008R2 and on a default install includes only 7 modules (or there about). I’ve installed the additional tools such as PSCX and the MSDN  PowershellPack , both of which have added extended the default list of modules.

When Powerhsell starts, it looks for the existence of 4 specific profiles and runs them in the following order with the end result being a sum total of all existing profile settings, unless there is a conflict and then the more specific profile setting takes precednece.

1. All Users, All Hosts
2. All Users – Powershell or ISE (depending which one is being used)
3. Current User, All Hosts
4. Current User – Powershell or ISE (depending which one is being used)

Profiles don’t exist by default and must be created and thier location is defined in the $Profile variable.  I’ve created the below code to select only the Name and Path for the profiles.

$Profile | Get-Member |?{$_.membertype -eq “note*”} | Select  name,@{label=”Path”;e={$_.definition -replace  “^.+=”,”"| Format-Table -autosize

The potential that lies in loading preconfigured profiles is endless and as a small example I’ve decided to create a Active Directory Logon Script that will determine if the CurrentUserCurrentHost profile exists and if not, will create it, and then continue to populate it with a simple function called Get-WMIClass.

If (!( Test-Path $Profile )) {
New-Item $Profile  -Type  File  -Force
} Else  {
$A  =  Get-Content  $Profile }

If (!( $A -Like  "*Get-WMIClass*"  ))  {
 $Content = @(
 "Function GET-WMIClass {"
 '$NS="Root\CIMV2"'
 '$Class=$args[0]'
 'Get-WMIObject -Namespace $NS -Class $Class'
 "}"
 )
 $Content | Add-Content $Profile -Encoding  UTF8
}

• Base Configuration
• Demonstrate DirectAccess

The DirectAccess lab required that the Base Configuration be setup first and considering that both labs were time consuming and, at times remedial, I decided to make the process more streamlined and automated by using Powershell to create a script ( for complete automation ) which I could  then convert into a module ( for a more step by step approach ).  I’m still in the begining phase of automating the Base Configuration but I’ve already created a few functions, one of which will turn a standalone server into the first Domain Controller for the Corp.Contoso.Com domain. 

I’ve tested it out serveral times using Hyerp-V and snapshots (another time saver) and it works perfectly.   I was going to include the unattend.txt file separately along with script but decided to have the function create it so that the function could be used independently and would be less prone to error.

One of the neat things about Powershell is that it creates a set of PSDrives that allow the browsing of different data types using the same set of commands as though they were directories.  The PSDrives  on my machine are the following:

Get-PSDrive | Format-Table  -Auto

The psdrives displayed will have a corresponding Provider that exposes it’s data store and can be viewed using Get-PSProvider. 

Get-PSProvider | Format-Table  -Auto

Since Powershell includes a set of cmdlets that are designed to manage items in a data store we can enter a PSDrive using Set-Location, and display it’s contents using Get-ChildItem.   The HKLM registry hive is what needs to be edited, specifically HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters so let’s move into that key.   What you will notice is that  the “directories” (in this case Keys) are condensed, something specific to the Registry provider.

In order to see the actual data types in the Parameters key, “Get-ItemProperty . “must be used.  The dot represents the current directory.  I’ve also highlighted the DWORD value that needs to be created if it doesn’t exist and if so, then it’s value must be set to zero (0). 

Get-ItemProperty .

Below is the final script.   It’s simple and a rough cut, something I will fine tune in the next post.

Get-WmiObject Win32_Share | Format-Table -AutoSize

I’ve used the Format-Table cmdlet with the –Autosize parameter to automatically adjust the column size based on the width of the data.  Otherwise it would look something like this.

The machine I’m working with has several partitions, all of which are being shared, and although they are hidden ($) which means they will not be enumerated over the network by remote machines via My Network Places (XP) or Network (Vista\7), they are just as accessible as any other share I would have manually made available.  This doesn’t mean just anyone has permissions to access them as they are being protected by NTFS\Share permissions as well as the Windows Firewall.   This does mean that if one machine’s adminstrator account is compromised then it’s possible that all machines are vulnerable.  Best security practices state that all unneeded services, shares, etc be disabled\turned off to prevent such attacks.    That being the case I’ve decided to write a script that will  remove only the administrative disk shares and then keep them turned off. 

In order to do this I needed first to determine what property value is used to distinguish an administrative disk share from one manually created. I decided to select the first available share ($Admin) and then view all available membertypes, which will include Methods, Properties, PropertySets and ScriptMethods. 

Get-WmiObject Win32_Share | Select-Object -First 1 | Get-Member

Another way to view the membertypes of a specific object (in this case the Admin$ share)  is to use a Where-Object match expression and then to pipe the results to Get-Member to filter for properties only.

$Obj = Get-WmiObject Win32_Share | Where-Object { $_.Name -eq "Admin$" }
$Obj | Get-Member -MemberType Property

All shares are classified based on a “Type” property.    The below chart is used to categorize all possible shares and shared devices. 

• 1    Print Share
• 2    Device Share
• 3    IPC Share
• 2147483648    Administrative Disk Share
• 2147483649    Administrative Print Share
• 2147483650     Administrative Device Share
• 2147483651    Administrative IPC Share

In order to verify the value assigned to the Admin$ share we could use either of the following.

Get-WmiObject Win32_Share | ? {$_.Name -eq "Admin$"} | Select Name,Type |
Format-Table -AutoSize            

(Get-WmiObject Win32_Share | Where-Object {$_.Name -eq "Admin$"}).Type

Just to keep things simple I’ve decided to use the second example which is more specific

Now that I’ve confirmed the value of the Admin$ disk share I can create a filter to look for all administrative disk shares (those ending with 48), assign the results to a variable ($Share), use the Foreach construct to loop through all elements in the associative array and then invoke the Delete method to remove them.  

$Share = Get-WmiObject Win32_Share | Where-Object { $_.Type -like "*48*" }
Foreach ( $i in $Share ) {
    $I.Delete()
    }

Although this accomplishes the task at hand it’s only temporary.  When the machine is rebooted the Server service will reshare all of them once again.  In order to prevent this the registry needs to edited to include a new DWORD, something I will demo in the next artictle

The Offensive Security Certified Professional (OSCP) is a unique and industry leading IT Security Certification that tests real world skills in the penetration testing field. No multiple choice questions, no theoretical fluff – The student will be expected to dive into an unknown network, craft custom tailored exploits, find security flaws, and exploit weaknesses within the architecture in order to pass the certification process. Students who successfully complete the Offensive Security PWB Penetration Testing Training certification challenge receive the OSCP certification. Penetration Testing with BackTrack simulates a full penetration test from start to finish by injecting the student into a rich, diverse and vulnerable network environment. Pre-Requisites

The online class consists of a series of downloaded videos, lab book, lab guide(PDF), sample Pentest Report and an online lab environment that includes clients and servers divided into 4 networks.   I also opted to download a customized version of Backtrack for VMWare to use during the labs.  I have 30 days to work through the material, document my findings and then 24hrs to complete the certification challenge.   I will post my progress and challenges as I progess through the course.