Author Posts

August 22, 2017 at 12:24 pm

The only thing I have changed in this script is where the output file goes to, everything else is the same. When I run the script in ISE I get a weird error about get-winevent not working, however when i run it from the shell or as scheduled task that works fine.

When I run the script from the shell the file outputs with the UPN, IP, Time. When I run it as a scheduled task, the file outputs with UPN, IP but no time. I have the scheduled task running as system, and running with highest privileges. If I run the scheduled task as my domain admin account (obviously a no no, but this was for testing purposes) it outputs with time. Any ideas on how to get it to run as system and get time? Or do I need to create a service account to do this? (my least favorable option, as my security team is going to be a pain in the ass about it)

PARAM ($PastDays = 1, $PastHours)
#************************************************
# ADFSBadCredsSearch.ps1
# Version 1.0
# Date: 6-20-2016
# Author: Tim Springston [MSFT]
# Description: This script will parse the ADFS server's (not proxy) security ADFS
#  for events which indicate an incorrectly entered username or password. The script can specify a
#  past period to search the log for and it defaults to the past 24 hours. Results will be placed into a CSV for 
#  review of UPN, IP address of submitter, and timestamp.
#************************************************
$dToday = Get-Date -format “MM-dd-yyyy”
cls
if ($PastHours -gt 0)
	{$PastPeriod = (Get-Date).AddHours(-($PastHours))}
	else
		{$PastPeriod = (Get-Date).AddDays(-($PastDays))	}
$Outputfile = $Pwd.path + "\BadCredAttempts.csv"
$CS = get-wmiobject -class win32_computersystem
$Hostname = $CS.Name + '.' + $CS.Domain
$Instances = @{}
$OSVersion = gwmi win32_operatingsystem
[int]$BN = $OSVersion.Buildnumber 
if ($BN -lt 9200){$ADFSLogName = "AD FS 2.0/Admin"}
	else {$ADFSLogName = "AD FS/Admin"}

$Users = @()
$IPAddresses = @()
$Times = @()
$AllInstances = @()
Write-Host "Searching event log for bad credential events..."
if ($BN -ge 9200) {Get-Winevent  -FilterHashTable @{LogName= "Security"; StartTime=$PastPeriod; ID=411} -ErrorAction SilentlyContinue | Where-Object  {$_.Message -match "The user name or password is incorrect"} |  % {
	$Instance = New-Object PSObject
	$UPN = $_.Properties[2].Value
	$UPN = $UPN.Split("-")[0]
	$IPAddress = $_.Properties[4].Value
	$Users += $UPN
	$IPAddresses += $IPAddress
	$Times += $_.TimeCreated
	add-member -inputobject $Instance -membertype noteproperty -name "UserPrincipalName" -value $UPN
	add-member -inputobject $Instance -membertype noteproperty -name "IP Address" -value $IPAddress
	add-member -inputobject $Instance -membertype noteproperty -name "Time" -value ($_.TimeCreated).ToString()
	$AllInstances += $Instance
	$Instance = $null
	}
}


$AllInstances | select * | Out-File $("\\fileserver\" + $dtoday + "_" + "adfslogs.csv")
Write-Host "Data collection finished. The output file can be found at $outputfile`."
$AllInstances = $null

August 28, 2017 at 3:45 pm

I'm guessing the account can't read that field. Seems a bit odd, though. Do you have that problem – just for testing – with any of the other date time fields in the event record?