HPE Community
HPE Morpheus Enterprise
1830936 Members
1950 Online
110017 Solutions
New Discussion

Powershell Tools for troubleshooting Window Security Events

 
Not applicable

‎09-21-2023 03:01 AM

‎09-21-2023 03:01 AM

Powershell Tools for troubleshooting Window Security Events

WindowsSecEvents

Powershell Function for querying Morpheus Related Windows Security Events while troubleshooting AD Identity Sources.

The functions are available in Github here

To load the script Dot Source the WindowsSecEvents.ps1 file into an elavated Powershell session

PS> . .\WindowsSecEvents.ps1

NOTE to run these Powershell Scripts the account must be an Administrator with access to query the Security Event log on the target computer. When querying the Domain Controller Security log the user will most likely be a Domain Admin.

Loading Directly from GitHub URL

It is possible to load these Functions directly from GitHub if your Endpoint has an Internet connection. Use the following Powershell to download and Install a Dynamic Module directly from a GitHub Url

$Uri = "https://raw.githubusercontent.com/spottsmorpheus/WindowsSecEvents/main/src/WindowsSecEvents.ps1"
$ProgressPreference = "SilentlyContinue"
# Load Powershell code from GitHub Uri and invoke as a temporary Module
$Response = Invoke-WebRequest -Uri $Uri -UseBasicParsing
if ($Response.StatusCode -eq 200) {
    $Module = New-Module -Name "WindowsSecEvents" -ScriptBlock ([ScriptBlock]::Create($Response.Content))
}

About the Functions

Get-WindowsAuditEvent

Use this function to query the Windows Security Event log on the Domain Controller(s) used by the Morpheus Identity Source or on the Windows VM where you are running automation tasks. You will most likely need to be Domain Admins to query the Security Log and the scripts are designed to be run interactively in an elevated Windows Powershell session. The function takes in a Computer parameter which can be used to remotely query the Security log on a comma separated list of Computernames. See the GitHub README.md for detailed parameters.

Get-WindowsRestartEvent

This function queries the Event logs on the local computer, or remote computer if -Computer is specified. It reports all the known restart events and can be filtered by either the last hour,day,week or month via the -InLast parameter. Output can optionally be returned in json format

Examples

Checking for Login Success Event 4624

To check for a successful login on Domain Controller MYDC01 by user morphuser in the last 5 minutes returning results as json

Get-WindowsAuditEvent -Recent 5 -Computer "MYDC01" -TargetUser "morphuser" -Eventlist @(4624) -AsJson

Login Failure Event 4625

To check for login failures on Domain Controller MYDC01 from appliance 10.10.10.10 in the last 20 minutes returning results as json

In this example below the check the Status,SubStatus and FailureReason. In this example the accounts password must be changed on the next login preventing the account logging into Morpheus

Get-WindowsAuditEvent -Recent 20 -Computer "MYDC01" -IPAddress "10.10.10.10" -Eventlist @(4625) -AsJson
{
    "RecordId":  51599589,
    "TimeCreated":  "2023-09-21T00:54:10.668",
    "Id":  4625,
    "MachineName":  "MYDC01.example.com",
    "TargetUserName":  "morphuser",
    "TargetDomainName":  "EXAMPLE",
    "IpAddress":  "10.10.10.10",
    "IpPort":  "37372",
    "Status":  "User is required to change password at next logon",
    "SubStatus":  "Status OK",
    "FailureReason":  "The specified account password has expired.",
    "EventData":  {
                      "SubjectUserSid":  "S-1-5-18",
                      "SubjectUserName":  "MYDC01$",
                      "SubjectDomainName":  "EXAMPLE",
                      "SubjectLogonId":  "0x3e7",
                      "TargetUserSid":  "S-1-0-0",
                      "TargetUserName":  "morphuser",
                      "TargetDomainName":  "EXAMPLE",
                      "Status":  "0xc0000224",
                      "FailureReason":  "The specified account password has expired.",
                      "SubStatus":  "0x0",
                      "LogonType":  "3",
                      "LogonProcessName":  "Advapi  ",
                      "AuthenticationPackageName":  "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
                      "WorkstationName":  "MYDC01",
                      "TransmittedServices":  "-",
                      "LmPackageName":  "-",
                      "KeyLength":  "0",
                      "ProcessId":  "0x298",
                      "ProcessName":  "C:\\Windows\\System32\\lsass.exe",
                      "IpAddress":  "10.10.10.10",
                      "IpPort":  "37372"
                  }
}

Get Default events for the last 5 minutes on Servers MYHOST01 and MYDC01 for user morphuser returning output as json

Get-WindowsAuditEvent -Recent 5 -Computer "MYHOST01, MYDC01" -TargetUser "morphuser" -AsJson

Generating an XML Search filter

Get-WindowsAuditEvent can be used to generate XML which can be used directly in Event Viewer. As an example

Get-WindowsAuditEvent -Recent 3 -IPAddress "10.10.10.10" -TargetUser "spotts" -AsXML

Using XML Query Filter: Paste this filter into Event Viewer to view events

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
       Event[System[TimeCreated[timediff(@SystemTime)&lt;=180000] and (EventID=4624 or EventID=4625 or EventID=4776 or EventID=4768 or EventID=4769)]][EventData[Data[@Name='IPAddress']='10.10.10.10' or Data[@Name='TargetUserName']='spotts']]
    </Select>
  </Query>
</QueryList>
  • Copy the XML output by the Powershell Function
  • Open Event Viewer. From the Actions menu select Filter current Log.
  • Select the XML tab.
  • Check the Edit query manually checkbox. Click Yes to acknowledge the warning
  • Clear the current contents and paste in the XML output from the Powershell function
  • Click OK

Refresh the Event Viewer as required to see the latest events matching the filter

Verifying Morpheus logins

Using these functions it is possible to confirm if a user has successfully been authenticated by the AD. For example if a user is unable to log into Morpheus and a 4625 message is logged (login failure) then this is likely to be an issue with the AD user account and the Status and FailureReason should point to where the issue is. However, if a user fails to log into Morpheus but the Security log returns a 4624 (login success) then the issue is likely to be within Morpheus and you should check the Identity Source properties and , if used, the Required Group to see if the user is in fact a member.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.