1 | ;4624 |
---|
2 | ;4672 |
---|
3 | ;4647 |
---|
4 | #Region ;**** Directives created by AutoIt3Wrapper_GUI **** |
---|
5 | #AutoIt3Wrapper_Version=beta |
---|
6 | #AutoIt3Wrapper_icon=pebkac.ico |
---|
7 | #AutoIt3Wrapper_Change2CUI=y |
---|
8 | #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** |
---|
9 | ;Irongeek's sloppy code for the PEBKAC Attack on the Windows Security Event Log, http://irongeek.com |
---|
10 | #include <EventLog.au3> |
---|
11 | #include <String.au3> |
---|
12 | #include <array.au3> |
---|
13 | _Main() |
---|
14 | |
---|
15 | Func _Main() |
---|
16 | Local $hEventLog |
---|
17 | |
---|
18 | ConsoleWrite ("Irongeek's PEBKAC Attack on the Windows Security Event Log ver .1" & @CRLF) |
---|
19 | ; Get log to work on |
---|
20 | if $CmdLine[0] > 0 then |
---|
21 | $box=$CmdLine[1] |
---|
22 | ConsoleWrite ("Working on " & $box & "..." & @CRLF) |
---|
23 | else |
---|
24 | $box="" |
---|
25 | endif |
---|
26 | $hEventLog = _EventLog__Open( $box, "System") |
---|
27 | ;$hEventLog = _EventLog__OpenBackup("", "c:\WINDOWS\system32\config\security") |
---|
28 | $x=_EventLog__Count ($hEventLog) |
---|
29 | ;Iterate through log |
---|
30 | MsgBox(1,"test",$x) |
---|
31 | For $i=0 To $x |
---|
32 | $aEvent = _EventLog__Read($hEventLog) |
---|
33 | ;if $aEvent[6] = "4624" then |
---|
34 | for $j=0 to 14 |
---|
35 | ConsoleWrite($j & ": " & $aEvent[$j] & @CRLF ) |
---|
36 | next |
---|
37 | ;msgbox(0,"",$aEvent[13] & @CRLF ) |
---|
38 | ;$gooduser=GrabUsername ($aEvent[13]) |
---|
39 | ;ConsoleWrite ("Successful Login (" & $aEvent[1] & "): " & $gooduser & @CRLF) |
---|
40 | ;endif |
---|
41 | next |
---|
42 | _EventLog__Close($hEventLog) |
---|
43 | |
---|
44 | EndFunc ;==>_Main |
---|
45 | |
---|
46 | Func GrabUsername($eventdescription) |
---|
47 | $aArray =_StringBetween($eventdescription,"User Name:", @cr) |
---|
48 | If IsArray($aArray) Then |
---|
49 | return StringStripWS($aArray[0], 1) |
---|
50 | EndIf |
---|
51 | EndFunc |
---|