SHARE
TWEET

Untitled

a guest Dec 8th, 2019 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $startups = Get-WinEvent -FilterHashTable @{ LogName = "System"; ID = 12 } -Oldest
  2. $lsassPeriods = 1..($startups.Count - 1) |
  3.     %{
  4.         [pscustomobject] @{
  5.             "StartedAt" = [DateTime] ([xml] $startups[$_ - 1].toXml()).Event.System.TimeCreated.SystemTime
  6.             "RestartedAt" = [DateTime] ([xml] $startups[$_].toXml()).Event.System.TimeCreated.SystemTime
  7.         }
  8.     }
  9.  
  10. $lsassPeriods = [array] $lsassPeriods + [pscustomobject] @{ "StartedAt" = [DateTime] ([xml] $startups[$startups.Count - 1].toXml()).Event.System.TimeCreated.SystemTime }
  11.  
  12. $logons = @()
  13.  
  14. foreach($lsassPeriod in $lsassPeriods) {
  15.     $query = @{LogName = "Security"; ID = 4624; StartTime = $lsassPeriod.StartedAt; EndTime = If ($lsassPeriod.RestartedAt) { $lsassPeriod.RestartedAt } Else { Date }  }
  16.  
  17.     $logonsInPeriod = Get-WinEvent -FilterHashTable $query -Oldest |
  18.         % { ([xml] $_.toXml()).Event } |
  19.         % {
  20.             [pscustomobject] @{
  21.                 "TimeCreated" = [DateTime] $_.System.TimeCreated.SystemTime
  22.                 "TimeDestroyed" = $lsassPeriod.RestartedAt
  23.                 "TargetUserName" = ($_.EventData.Data | Where-Object { $_.name -eq "TargetUserName" }[0])."#text"
  24.                 "TargetUserSid" = ($_.EventData.Data | Where-Object { $_.name -eq "TargetUserSid" }[0])."#text"
  25.                 "LogonType" = ($_.EventData.Data | Where-Object { $_.name -eq "LogonType" }[0])."#text"
  26.                 "ProcessName" = ($_.EventData.Data | Where-Object { $_.name -eq "ProcessName" }[0])."#text"
  27.             }
  28.         } |
  29.         Where-Object { $_.ProcessName -like "*lsass.exe" }
  30.  
  31.     $logons = [array] $logons + $logonsInPeriod
  32. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top