Created
December 12, 2021 12:39
-
-
Save f-bader/d7e2371d5d5760b427697b7464e72cb1 to your computer and use it in GitHub Desktop.
Detection for exploitation and old TGT usage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| CVE-2021-42287 - Authentication updates | |
| CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes | |
| This updates introduced additional Event Ids to monitor. | |
| Use this script to check every domain controller for those eventIds | |
| #> | |
| $EventIds = @{ | |
| 35 = "PAC without attributes" | |
| 36 = "Ticket without a PAC" | |
| 37 = "Ticket without Requestor" | |
| 38 = "Requestor Mismatch" | |
| 16990 = "Object class and UserAccountControl validation failure" | |
| 16991 = "SAM Account Name validation failure" | |
| } | |
| $DomainController = Get-ADDomain | Select-Object -ExpandProperty ReplicaDirectoryServers | |
| foreach ($ComputerName in $DomainController) { | |
| $Events = Invoke-Command -ComputerName $ComputerName -ScriptBlock { param([string[]]$EventIds) $EventIds | Out-Null ; Get-WinEvent -EA 0 -FilterHashtable @{LogName = 'System'; id = $EventIds } | Where-Object { $_.ProviderName -in @('Microsoft-Windows-Kerberos-Key-Distribution-Center', 'Microsoft-Windows-Directory-Services-SAM') } } -ArgumentList (, $EventIds.Keys) | |
| foreach ($Event in $Events) { | |
| [PSCustomObject]@{ | |
| TimeCreated = $Event.TimeCreated | |
| Id = $Event.Id | |
| EventGroup = $EventIds[$Event.Id] | |
| Reason = $Event.Message | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment