AD DS: Collect User cmd history

After enabling auditing for event 4688, see post about auditing Microsoft AD DS(TBD). You can collect logs to see cmd activity for a user. I have wrote this powershell function little quick to help me out with this. But I do recommend an greylog for this purpose.

function Get-UserCmdHistory{
    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)]
        $samaccountname,
        [Parameter(Mandatory,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)]
        [string[]]$Computer
    )
    
    begin{
        Write-Host "Collecting Logs from $Computer. This take long time..." -ForegroundColor Yellow
        $log = Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile= 'Security' AND EventCode= '4688'" -ComputerName $Computer -ErrorAction SilentlyContinue
    }

    process {
        Write-Host "Processing Logs . This will take time...." -ForegroundColor Yellow
        $object = foreach ($l in $log){
            if($samaccountname){
                if($l.InsertionStrings[1] -eq $SamAccountName){
                    [pscustomobject]@{
                        DateTime = [System.Management.ManagementDateTimeConverter]::ToDateTime($l.TimeGenerated)
                        AccountName = $l.InsertionStrings[1]
                        CommandLine = $l.InsertionStrings[8]
                    }
                }
            }
            else{
                [pscustomobject]@{
                        DateTime = [System.Management.ManagementDateTimeConverter]::ToDateTime($l.TimeGenerated)
                        AccountName = $l.InsertionStrings[1]
                        CommandLine = $l.InsertionStrings[8]
                 }
            }
        }
        $object | Sort-Object -Property datetime 
    }
    end{
    }
}

38

Leave a Reply

Your email address will not be published.