Use powershell script against password hacking over OWA

In my previous company Exchange OWA isn‘t published to internet, so this blog described my first time encountering hacker trying to hack my new company‘s Active directory passwords. Based on it, I wrote a powershell script running on each CAS servers to use 4625 events identify hacker‘s source IP and block it.

Environment is Windows 2012 and Exchange 2013

First of all, some points need to be noticed,

Normally, there are more than 1 CAS servers in production Exchange environment, so the script must be setup on each of them.

Event ID is 4625, its message contains source IP address and account names.

You probably need to enable auditing first, otherwise probably no 4625 will be logged.

Here is the procedure,

After the script triggered, it will capture events in Security logs for past 10 minutes, filter out all 4625 events; each by each, script analysis XML data of event and gets source IP and target AD account; use IP as the "key", AD accounts as the "Value", store data in a hash table; at last, script loop every IP address in hash table and block IP address which exceed defined threshold and send warning email to admins.

#Enter script‘s parent directory
Set-Location (Get-Item ($MyInvocation.MyCommand.Definition)).DirectoryName

#The time script should back to trace logs
$MinutesToBack = 10

$Date = Get-Date
$strDate = $Date.ToString(‘yyyy-MM-dd‘)

$End_time = $Date
$Start_time = $Date.AddMinutes(-$MinutesToBack)

#Two log files, script only send logs for past 10 minutes content
$strLogFile = "${strDate}.txt"
$strLogFile_e = "${strDate}_e.txt"

Set-Content -Path $strLogFile_e -Value $null

#从FW_WhiteList.txt is the IP whitelist, there always some exceptions
$WhiteList = @(Get-Content -Path ‘FW_WhiteList.txt‘ -ErrorAction:SilentlyContinue)
#Define threshold to add into firewall, 50 means total failure authencations, 10 means AD accounts de-duplicated, if one IP address exceeds both values, it will be in firewall (except those in whitelist)
$t_4625_fw = @(50, 10)
#email sending part
$Mail_From = "$($env:COMPUTERNAME)@xxxx.yyyy"
$Mail_To = ‘[email protected]‘, ‘[email protected]‘
$Mail_Subject = ‘warning email subject‘

$Mail_SMTPServer = ‘SMTP server address‘

The script is based on 4625 events, so i just hardcoded 4625 in script

PS: Why use get-winevent here? cause it has a method to get XML data of one event, i don‘t need to care about locale/language, etc.

#logging some information
Add-Log -Path $strLogFile_e -Value "Catch logs after : $($Start_time.ToString(‘HH:mm:ss‘))" -Type Info
Add-Log -Path $strLogFile_e -Value "Catch logs before: $($End_time.ToString(‘HH:mm:ss‘))" -Type Info

#get logs from past defined minutes
$4625 = @(Get-WinEvent -FilterHashtable @{LogName = ‘Security‘; Id = 4625; StartTime = $Start_time; EndTime = $End_time;} -ErrorAction:SilentlyContinue)
#output the number of 4625
Add-Log -Path $strLogFile_e -Value "Total 4625 logs count : [$($4625.Count)]" -Type Info

loop each event, convert to XML data and get IP and AD account name, store in hashtable,

# http://schemas.microsoft.com/win/2004/08/events/event
# index 5 = TargetUserName
# index 19 = IpAddress
$s_4625 = @{}
foreach($e in $4625)
{
    $xmlData = $IP = $Account = $null
    $xmlData = [xml]$e.ToXml()
    $IP = $(
        if($xmlData.Event.EventData.Data[19].‘#text‘ -imatch ‘^\s*$‘)
        {
            ‘NULL‘
        }
        else
        {
            $xmlData.Event.EventData.Data[19].‘#text‘.Trim()
        }
    )
    $Account = $(
        if($xmlData.Event.EventData.Data[5].‘#text‘ -imatch ‘^\s*$‘)
        {
            ‘NULL‘
        }
        else
        {
            $xmlData.Event.EventData.Data[5].‘#text‘.Trim()
        }
    )
    $s_4625.$($IP) += @($Account)
}

loop each IP in hashtable, compare with predefined threshold, adding to firewall or do some other actions.

foreach($IP in $s_4625.Keys)
{
    $tmp = @($s_4625.$IP | Group-Object | Sort-Object Count -Descending)
    Add-Log -Path $strLogFile_e -Value "In past [${MinutesToBack}] minutes [IP][Total][AD Accounts][Top 5]:[$IP][$($s_4625.$IP.Count)][$($tmp.Count)][$($tmp[0..4] | %{$_.Name, $_.Count -join ‘:‘})]" -Type Info
    if($s_4625.$IP.Count -ge $t_4625_fw[0] -and $tmp.Count -ge $t_4625_fw[1])
    {
        $tmp.Name | Add-Content -Path "$IP.log" -Encoding Default
        if($WhiteList -notcontains $IP)
        {
            $Mail = $true
            New-NetFirewallRule -DisplayName "ScriptAuto_$IP" -Profile Any -Action Block -RemoteAddress $IP -Direction Inbound -ErrorAction:SilentlyContinue
            if(!$?)
            {
                Add-Log -Path $strLogFile_e -Value ‘Adding to firewall failed,cause:‘ -Type Error
                Add-Log -Path $strLogFile_e -Value $Error[0] -Type Error
            }
            else
            {
                Add-Log -Path $strLogFile_e -Value "[$IP] added to firewall" -Type Warning
            }
        }
        else
        {
            Add-Log -Path $strLogFile_e -Value "[$IP] is in whitelist" -Type Info
        }
    }
    else
    {
        Add-Log -Path $strLogFile_e -Value "[$IP] not exceed threshold" -Type Info
    }
}

Send out email notification if necessary,

If($Mail)
{
    try
    {
        Send-MailMessage -From $Mail_From -To $Mail_To -Subject $Mail_Subject -SmtpServer $Mail_SMTPServer -Body ((Get-Content $strLogFile_e -Encoding Default) -join "`t`n") -Encoding utf8
    }
    catch
    {
        Add-Log -Path $strLogFile_e -Value "Failed to send mail, cause: $($Error[0])" -Type Error
    }
}

Get-Content -Path $strLogFile_e | Add-Content -Path $strLogFile
Add-Log -Path $strLogFile_e -Value ‘Completed‘ -Type Info

Triggered by task scheduler every 10 minutes, based on your environment and exprience define the threshould, it works.

时间: 2024-12-17 12:15:42

Use powershell script against password hacking over OWA的相关文章

Send email alert from Performance Monitor using PowerShell script (检测windows服务器的cpu 硬盘 服务等性能,发email的方法) -摘自网络

I have created an alert in Performance Monitor (Windows Server 2008 R2) that should be triggered whenever \Processor(_Total)\% Processor Time is Above 10 (a small value just to guarantee that the condition for sending the alert is always met). You ca

SharePoint2013 Powershell script to get site Title, Site Owner, Site user count and usage

Powershell script to get site Title, Site Owner, Site user count and usage Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue $wburl = Read-Host "Enter Web application URL " $webApp = Get-SPWebApplication $wburl $outputPa

Add Users to a Group using PowerShell Script

Script: #Add Users to a Group - PowerShell Script Import-module ActiveDirectory Import-CSV "C:\Scripts\Users.csv" | % { Add-ADGroupMember -Identity TestGroup1 -Member $_.UserName } 原文地址:http://blog.51cto.com/549687/2120182

PowerShell Script Analyzer, Script browser 和 Pester

昨天在MVA上看PowerShell5的最新功能的合集视频,第一个演讲人是微软PowerShell 开发组的经理,他提到了DevOp 的发展趋势,他认为对于PowerShell而言,除了基本的PowerShell的技能,还需要掌握以下基本的技能和工具: PowerShell DSC 版本控制 Git & Github 脚本最佳优化 Script Analyzer 单元测试 Pester PowerShell DSC和Github 豆子倒是用过,后面两个是什么呢? 首先看看Script Analy

Enable PowerShell script execution policy

Open     Windows PowerShell with administrator Run "Set-ExecutionPolicy     UnRestricted –Force"

利用powershell script每个月定期从microsoft download网站上抓补丁

This artical will be published in English also: http://www.cnblogs.com/LarryAtCNBlog/p/4026695.html 本人所在的公司对于安全性要求较高,除了平时各种内网加密外网firewall之外,对于server所使用的OS也要求更新到最新的security级别的补丁. 但是样本数量一多就总有些是打不上补丁的,这可能由于各种各样如update配置错误,SCCM/WSUS抽风,加上第3方扫描补丁软件的2X机制和se

Use powershell script to download windows patches monthly

My company concerns security, request us to deploy the newest patches on our servers in time, even we have firewall/encryption internally. With the number of servers increasing, there must be some servers can't be patched as expected, probably caused

Usefull Powershell script

How to get the AD compter OS Version, Created, patch Get-ADComputer -searchbase 'OU=domain controllers,DC=abc,DC=COM ' -filter * -Properties * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion,created,@{n="lastLog

Powershell script for config_Win10

The line 26 SetUserAuthenticationRequired(0) Sysprep 原文地址:https://blog.51cto.com/549687/2382595