Here’s a little collection that sets up some Event Consumers on bad logon events and will launch a script to take action on the event. It can be used to take action on logon attempts using cached credentials. If used with the Purge Tickets code it can clear a users kerberos tickets if an intruder logon attempt is detected while disconnected from a domain. Kinda overkill but it was an interesting exercise in understanding event consumers, kerberos tickets and logon providers….
%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE -N:root\default %SYSTEMROOT%\SYSTEM32\WBEM\scrcons.mof
%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE “%HERE%\528SecEventTrig.mof”
%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE “%HERE%\529SecEventTrig.mof”
%SYSTEMROOT%\SYSTEM32\WBEM\MOFCOMP.EXE “%HERE%\539SecEventTrig.mof”
529SecEventTrig.mof:
#pragma namespace (”\\\\.\\root\\subscription”)
instance of ActiveScriptEventConsumer as $Cons529
{
Name = “BadLogonConsumer”;
ScriptingEngine = “VBScript”;
ScriptFileName = “C:\\WINDOWS\\SYSTEM32\\DRIVERS\\HERACLES.VBS”;
KillTimeout = 1;
};
instance of __EventFilter as $Filt529
{
Name = “BadLogonFilter”;
Query = “SELECT * FROM __InstanceCreationEvent “
“WHERE TargetInstance ISA \”Win32_NTLogEvent\” “
“AND TargetInstance.LogFile = \”Security\” “
“AND TargetInstance.SourceName = \”Security\” “
“AND TargetInstance.EventCode = 529″;
QueryLanguage = “WQL”;
EventNamespace = “\\\\.\\root\\cimv2″;
};
instance of __FilterToConsumerBinding
{
Filter = $Filt529;
Consumer = $Cons529;
};
528SecEventtrig.mof:
#pragma namespace (”\\\\.\\root\\subscription”)
instance of ActiveScriptEventConsumer as $Cons539
{
Name = “AccountLockedConsumer”;
ScriptingEngine = “VBScript”;
ScriptFileName = “C:\\WINDOWS\\SYSTEM32\\DRIVERS\\HERACLES.VBS”;
KillTimeout = 1;
};
instance of __EventFilter as $Filt539
{
Name = “AccountLockedFilter”;
Query = “SELECT * FROM __InstanceCreationEvent “
“WHERE TargetInstance ISA \”Win32_NTLogEvent\” “
“AND TargetInstance.LogFile = \”Security\” “
“AND TargetInstance.SourceName = \”Security\” “
“AND TargetInstance.EventCode = 539″;
QueryLanguage = “WQL”;
EventNamespace = “\\\\.\\root\\cimv2″;
};
instance of __FilterToConsumerBinding
{
Filter = $Filt539;
Consumer = $Cons539;
};
539SecEventTrig.mof:
#pragma namespace (”\\\\.\\root\\subscription”)
instance of ActiveScriptEventConsumer as $Cons539
{
Name = “AccountLockedConsumer”;
ScriptingEngine = “VBScript”;
ScriptFileName = “C:\\WINDOWS\\SYSTEM32\\DRIVERS\\HERACLES.VBS”;
KillTimeout = 1;
};
instance of __EventFilter as $Filt539
{
Name = “AccountLockedFilter”;
Query = “SELECT * FROM __InstanceCreationEvent “
“WHERE TargetInstance ISA \”Win32_NTLogEvent\” “
“AND TargetInstance.LogFile = \”Security\” “
“AND TargetInstance.SourceName = \”Security\” “
“AND TargetInstance.EventCode = 539″;
QueryLanguage = “WQL”;
EventNamespace = “\\\\.\\root\\cimv2″;
};
instance of __FilterToConsumerBinding
{
Filter = $Filt539;
Consumer = $Cons539;
};
HERACLES.VBS:
‘
‘Check logon type from TargetEvent.TargetInstance.Message – 11 CachedInteractive, 7 Unlock,
‘Check the User name from TargetEvent.TargetInstance.Message against current interactive user
‘Get lockout count from RSOP
‘Increment consecutive failure count for user
‘On a good logon check the lockout counter for the user and launch chimaera.exe to purge tickets and lock account
‘ Constants:
Const strComputer = “.”
Const HKEY_LOCAL_MACHINE = &H80000002
Const path = “C:\WINDOWS\SYSTEM32\DRIVERS”
Dim strKeyPath : strKeyPath = “SYSTEM\CurrentControlSet\Control\MSReports”
‘Quit if run without the TargetEvent passed from the ActiveScriptEventConsumer
If (Not IsObject(TargetEvent)) Then WScript.Quit
‘Quit if Server
Dim objWMIService : Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Dim colItem :Set colItems = objWMIService.ExecQuery(”Select * From Win32_OperatingSystem”)
Dim objItem
For each objItem in colItems
if (instr(UCase(objItem.Caption),”SERVER”) > 0) then Wscript.Quit
Next
Set colItem = Nothing
Set objWMIService = Nothing
Dim objReg : Set objReg=GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\default:StdRegProv”)
‘Run routine based on Event Code
Select Case TargetEvent.TargetInstance.EventCode
Case 528
Call GoodLogonEvent
Case 529
Call BadLogonEvent
Case 4201
Call TCPIPEvent
Case 539
Call AccountLockedEvent
End Select
Wscript.Quit
Sub GoodLogonEvent
On Error Resume Next
‘Quit if Network Service or SYSTEM
If InStr(UCase(TargetEvent.TargetInstance.Message),”NETWORK SERVICE”) > 0 Then WScript.Quit
If InStr(UCase(TargetEvent.TargetInstance.Message),”SYSTEM”) > 0 Then WScript.Quit
Dim arrMessage, arrUserName, objWMIService, objProcess, test
Dim strUserName, intLockout, errReturn, strValueName, strLogonGUID, arrLogonGUID
‘Parse message for required information
arrMessage = Split(TargetEvent.TargetInstance.Message,vbCrLf)
If IsArray(arrMessage) Then
arrUserName = Split(arrMessage(2),vbTab)
If IsArray(arrUserName) then
strUserName = arrUserName(2)
End If
arrLogonDomainName = Split(arrMessage(4),vbTab)
If IsArray(arrLogonDomainName) Then
strLogonDomainName = arrLogonDomainName(3)
End If
arrLogonComputerName = Split(arrMessage(14),vbTab)
If IsArray(arrLogonComputerName) Then
strLogonComputerName = arrLogonComputerName(UBound(arrLogonComputerName))
End If
arrLogonType = Split(arrMessage(8),vbTab)
If IsArray(arrLogonType) Then
intLogonType = arrLogonType(UBound(arrLogonType))
End If
arrLogonGUID = Split(arrMessage(16),vbTab)
If IsArray(arrLogonGUID) Then
strLogonGUID = arrLogonGUID(2)
End if
Else
WScript.Quit
End If
‘Set initial lockout counter
intLockout = &H0
‘Create user key, if not exist
strKeyPath = strKeyPath & “\” & strUserName
errReturn = objReg.CreateKey(HKEY_LOCAL_MACHINE,strKeyPath)
‘Read lockout trigger information
strValueName = strUserName & “-Lockout”
errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intLockout)
If errReturn <> 0 Then
‘Lockout trigger not set so delete user key
objReg.DeleteKey HKEY_LOCAL_MACHINE,strKeyPath ‘,strValueName
Else
‘Lockout trigger set so launch chimaera.exe if it is not already running
Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Set objProcess = objWMIService.Get(”win32_Process”)
Set colProcesses = objWMIService.ExecQuery(”SELECT * FROM Win32_Process WHERE Name LIKE ‘%CHIMAERA.EXE%’”)
if colProcesses.Count = 0 then
‘errReturn = objProcess.Create(path & “\HYDRA.EXE /DOMAIN=” & strLogonDomainName & ” /USERID=” & strUserName, Null, Null, intProcessID)
‘Chimaera.exe not running so launch it to purge tickets and lock acocunt
errReturn = objProcess.Create(path & “\CHIMAERA.EXE /LOCK /DOMAIN=” & strLogonDomainName & ” /USERID=” & strUserName, Null, Null, intProcessID)
strValueName = strUserName & “-PurgeTktsErrReturn”
if errReturn = 1 then test = &H1 Else test = &H0
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test
End if
Set objWMIService = Nothing
Set objProcess = Nothing
End If
Set objReg = Nothing
WScript.quit
End Sub
Sub BadLogonEvent
On Error Resume Next
Dim objreg, arrMessage, arrUserName, objWMIService, objProcess, colItems, objItems, test
Dim strUserName, intLockout, errReturn, strValueName, intLockoutBadCount, intBadLogonCount
Dim arrLogonDomainName, strLogonDomainName, strComputerName, arrLogonType
Dim intLogonType, arrLogonComputerName, strLogonComputerName
IntLockoutBadCount = 5
strComputerName = TargetEvent.TargetInstance.ComputerName
‘Parse message for required information
strUserName = “ERROR”
arrMessage = Split(TargetEvent.TargetInstance.Message,vbCrLf)
If IsArray(arrMessage) Then
arrUserName = Split(arrMessage(4),vbTab)
If IsArray(arrUserName) then
strUserName = arrUserName(2)
End If
arrLogonDomainName = Split(arrMessage(6),vbTab)
If IsArray(arrLogonDomainName) Then
strLogonDomainName = arrLogonDomainName(3)
End If
arrLogonComputerName = Split(arrMessage(14),vbTab)
If IsArray(arrLogonComputerName) Then
strLogonComputerName = arrLogonComputerName(UBound(arrLogonComputerName))
End If
arrLogonType = Split(arrMessage(8),vbTab)
If IsArray(arrLogonType) Then
intLogonType = arrLogonType(UBound(arrLogonType))
End If
Else
WScript.Quit
End If
‘If local logon exit
If UCase(strLogonDomainName) = UCase(strComputerName) Then WScript.Quit
If UCase(strLogonComputerName) <> UCase(strComputerName) Then WScript.Quit
strKeyPath = strKeyPath & “\” & strUserName
Set objReg=GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\default:StdRegProv”)
‘Create user key if not exist and write data from message
errReturn = objReg.CreateKey(HKEY_LOCAL_MACHINE,strKeyPath)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strLogonComputerName”,strLogonComputerName)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strLogonDomainName”,strLogonDomainName)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strUserName”,strUserName)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strLogonType”,intLogonType)
errReturn = objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath,”strComputerName”,strComputerName)
‘ ‘XP records logontype 11 first even if on the network so if logontype is 2 the reduce the counter by 1
‘ If (intLogonType = 2) Then
‘ strValueName = strUserName & “-BadLogonCount”
‘ errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount)
‘ If errReturn <> 0 Then
‘ intBadLogonCount = 0
‘ Else
‘ intBadLogonCount = intBadLogonCount – 1
‘ objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount
‘ End If
‘ End if
‘ End if
‘Write and increment bad logon counter if unlock or cached
‘If not unlock or cached logon quit
If (intLogonType = 7) Or (intLogonType = 11) Then
strValueName = strUserName & “-BadLogonCount”
errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount)
If errReturn <> 0 Then
intBadLogonCount = 1
Else
intBadLogonCount = intBadLogonCount + 1
End If
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount
‘Read Account lockout threshold from RSOP
Set objWMIRSOPService = GetObject(”winmgmts:\\” & strComputer & “\root\rsop\computer”)
Set colItems = objWMIRSOPService.ExecQuery(”Select * from RSOP_SecuritySettingNumeric”)
For Each objItem in colItems
If objItem.KeyName = “LockoutBadCount” Then
intLockoutBadCount = objItem.Setting
End If
Next
Set ColItems = Nothing
Set objWMIRSOPService = Nothing
‘Write trigger if bad logon counter higher than threshold and purge user’s ticket cache
If (intBadLogonCount => intLockoutBadCount) Then
intLockout = 1
strValueName = strUserName & “-Lockout”
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intLockout
Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Set objProcess = objWMIService.Get(”win32_Process”)
Set colProcesses = objWMIService.ExecQuery(”SELECT * FROM Win32_Process WHERE Name LIKE ‘%CHIMAERA.EXE%’”)
if colProcesses.Count = 0 then
‘errReturn = objProcess.Create(path & “\HYDRA.EXE /DOMAIN=” & strLogonDomainName & _
‘ ” /USERID=” & strUserName, Null, Null, intProcessID)
’strValueName = strUserName & “-PopupErrReturn”
‘if errReturn = 1 then test = &H1 Else test = &H0
‘objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test
errReturn = objProcess.Create(path & “\CHIMAERA.EXE /DOMAIN=” & strLogonDomainName & ” /USERID=” & strUserName, Null, Null, intProcessID)
strValueName = strUserName & “-PurgeTktsErrReturn”
if errReturn = 1 then test = &H1 Else test = &H0
objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test
End if
Set objWMIService = Nothing
Set objProcess = Nothing
End If
Set objReg = Nothing
End if
WScript.Quit
End Sub
Sub TCPIPEvent
WScript.quit
End Sub
Sub AccountLockedEvent
On Error Resume Next
If InStr(UCase(TargetEvent.TargetInstance.Message),”NETWORK SERVICE”) > 0 Then WScript.Quit
If InStr(UCase(TargetEvent.TargetInstance.Message),”SYSTEM”) > 0 Then WScript.Quit
Dim objreg, arrMessage, arrUserName, objWMIService, objProcess, test
Dim strUserName, intLockout, errReturn, strValueName
Dim objStartup, objConfig
‘Parse message for required information
arrMessage = Split(TargetEvent.TargetInstance.Message,vbCrLf)
If IsArray(arrMessage) Then
arrUserName = Split(arrMessage(4),vbTab)
If IsArray(arrUserName) then
strUserName = arrUserName(2)
‘As domain account is locked delete user’s counter key
strKeyPath = strKeyPath & “\” & strUserName
Set objReg=GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
errReturn = objReg.DeleteKey(HKEY_LOCAL_MACHINE,strKeyPath)
Set objReg = Nothing
‘Launch CHIMAERA.EXE and purge user’s ticket cache
Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\CIMV2″)
Set objProcess = objWMIService.Get(”win32_Process”)
Set colProcesses = objWMIService.ExecQuery(”SELECT * FROM Win32_Process WHERE Name LIKE ‘%CHIMAERA.EXE%’”)
if colProcesses.Count = 0 then
errReturn = objProcess.Create(path & “\CHIMAERA.EXE /USERID=” & strUserName, Null, Null, intProcessID)
end if
Set objWMIService = Nothing
Set objProcess = Nothing
End If
Else
WScript.Quit
End If
Wscript.Quit
End Sub
‘ errReturn = objProcess.Create(”c:\windows\system32\rundll32.exe user32.dll, LockWorkStation”, Null, Null, intProcessID)
‘ strValueName = strUserName & “-LockErrReturn”
‘ if errReturn = 1 then test = &H1 Else test = &H0
‘ objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,test
‘Dim i
‘For i = 0 To UBound(arrMessage)’ thing In arrMessage
‘If arrMessage <> “” then errReturn = objReg.SetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,arrMessage(i),i)
‘errReturn = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,intBadLogonCount)
‘Next
No comments:
Post a Comment