Home > Windows にまつわる e.t.c.

セキュリティログから PowerShell でログオン履歴を抽出する


Windows のセキュリティログには、コンピーターへのログオン情報が記録されているので、ログオン履歴を抽出し、ログオンの監査をすることができます。

ログオン時刻/ログオン成功失敗/ユーザーID/接続元 IP/ログオンタイプを抽出する関数を作ってみました。
(セキュリティログ舐めるので結構時間かかります)

### ハッシュテーブル
# ログオンタイプ
$LogonTypeHash = @{
    2   = "Interactive"
    3   = "ネットワーク"
    4   = "Batch"
    5   = "サービス"
    7   = "ロック解除"
    8   = "Network Cleartext"
    9   = "New Credentials"
    10  = "RDP"
    11  = "Cached Interactive"
}

# ステータスコード
$StatusCodeHash = @{
    "0xc000005e" = "There are currently no logon servers available to service the logon request."
    "0xc0000064" = "User logon with misspelled or bad user account"
    "0xc000006a" = "User logon with misspelled or bad password"
    "0xc000006d" = "This is either due to a bad username or authentication information"
    "0xc000006e" = "Unknown user name or bad password."
    "0xc000006f" = "User logon outside authorized hours"
    "0xc0000070" = "User logon from unauthorized workstation"
    "0xc0000071" = "User logon with expired password"
    "0xc0000072" = "User logon to account disabled by administrator"
    "0xc00000dc" = "Indicates the Sam Server was in the wrong state to perform the desired operation."
    "0xc0000133" = "Clocks between DC and other computer too far out of sync"
    "0xc000015b" = "The user has not been granted the requested logon type (aka logon right) at this machine"
    "0xc000018c" = "The logon request failed because the trust relationship between the primary domain and the trusted domain failed."
    "0xc0000192" = "An attempt was made to logon, but the Netlogon service was not started."
    "0xc0000193" = "User logon with expired account"
    "0xc0000224" = "User is required to change password at next logon"
    "0xc0000225" = "Evidently a bug in Windows and not a risk"
    "0xc0000234" = "User logon with account locked"
    "0xc00002ee" = "Failure Reason: An Error occurred during Logon"
    "0xc0000413" = "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine."
    "0x0" = "Status OK."
}


################################################
# ログオン履歴取得
################################################
function GetLogonHistry(){

    # ログオン成功
    $LogonSuccess = 4624

    # ログオン失敗
    $LogonFail = 4625

    # ログオンイベントの抽出
    $LogonEvents = Get-WinEvent -LogName Security | ? {($_.Id -eq $LogonSuccess) -or ($_.Id -eq $LogonFail)}

    # ログオン履歴
    $LogonHistry = @()

    foreach( $LogonEvent in $LogonEvents ){
        $LogonStatus = New-Object PSObject | Select-Object `
                                                            EventTime,      # ログオン時刻
                                                            Success,        # ログオン成功?
                                                            LogonUser,      # ユーザー
                                                            Domain,         # ドメイン
                                                            LogonTypeCode,  # ログオンタイプ コード
                                                            LogonTypeName,  # ログオンタイプ名
                                                            IpAddress,      # IP アドレス
                                                            StatusCode,     # ステータス
                                                            StatusName,     # ステータス内容
                                                            SubStatusCode,  # サブステータス
                                                            SubStatusName   # サブステータス内容

        # ログオン時刻
        $LogonStatus.EventTime = $LogonEvent.TimeCreated

        # ログオン成功?
        $LogonStatus.Success = $LogonEvent.Id -eq $LogonSuccess

        $LogonEventXml = [XML]$LogonEvent.ToXml()

        # ログオンユーザー
        $LogonStatus.LogonUser = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "TargetUserName"}).'#text'

        # ドメイン
        $LogonStatus.Domain = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "TargetDomainName"}).'#text'

        # 接続元 IP
        $LogonStatus.IpAddress = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "IpAddress"}).'#text'

        # ログオンタイプ
        [int]$LogonType = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "LogonType"}).'#text'
        $LogonStatus.LogonTypeCode = $LogonType
        if($LogonTypeHash.ContainsKey($LogonType)){
            $LogonStatus.LogonTypeName = $LogonTypeHash[$LogonType]
        }
        else{
            $LogonStatus.LogonTypeName = "unknown"
        }

        # ステータス
        try {
            $MainStatusCode = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "Status"}).'#text'
        }
        catch{
            $MainStatusCode = "0x0"
        }
        if($MainStatusCode -eq $null ){
            $MainStatusCode = "0x0"
        }
        $LogonStatus.StatusCode = $MainStatusCode
        if($StatusCodeHash.ContainsKey($MainStatusCode)){
            $LogonStatus.StatusName = $StatusCodeHash[$MainStatusCode]
        }
        else{
            $LogonStatus.StatusName = "unknown"
        }

        # サブステータス
        try {
            $SubStatusCode = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "SubStatus"}).'#text'
        }
        catch{
            $SubStatusCode = "0x0"
        }
        if($SubStatusCode -eq $null ){
            $SubStatusCode = "0x0"
        }
        $LogonStatus.SubStatusCode = $SubStatusCode
        if($StatusCodeHash.ContainsKey($SubStatusCode)){
            $LogonStatus.SubStatusName = $StatusCodeHash[$SubStatusCode]
        }
        else{
            $LogonStatus.StatusName = "unknown"
        }

        $LogonHistry += $LogonStatus
    }

    return $LogonHistry
}

 

参考情報

関数を PowerShell プロンプトで実行する
http://www.vwnet.jp/Windows/PowerShell/2016100401/UseFunctionInPsPrompt.htm

Audit Logon | Microsoft Docs
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn319080(v=ws.11)

4625(F) An account failed to log on. (Windows 10) | Microsoft Docs
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

ログオンの監査(ログオンイベント ID 説明) : 旧ドキュメント
https://technet.microsoft.com/ja-jp/library/dn319080(v=ws.11).aspx

ログオン イベントの監査(ログオンタイプ説明) : 旧ドキュメント
https://technet.microsoft.com/ja-jp/library/mt634186(v=vs.85).aspx

 

back.gif (1980 バイト)

home.gif (1907 バイト)

Copyright © MURA All rights reserved.