Active Directory Audit Powershell Change Alert. Part 1

I will begin a series of publications on monitoring Active Directory.
In these articles I will give the most basic problems and ways to solve them. Based on these data, the functionality is easily expanded to the requirements that you need.
Considering that now Powershell is available for all OSs starting with Windows Server 2003 R2 and Windows XP SP3. I think that this article will be useful help, because does not require any additional funds from the administrator, i.e. in fact - monitoring by regular means.

---

So, let's begin.

Active Directory Monitoring

At all the blogging community dedicated to IT can meet many articles on monitoring AD, but ... but more than 90% of them are devoted to the use of third-party applications, most of which are worth a certain amount of money that not every company is willing to give, even if not more. Probably the record holder in the number of articles is a product from the company NetWrix Corporation. Here and there, IT-specialists describe the wonderful features of this program. But why bother, and he used this program in demo mode. Honestly, I liked it, everything is simple and affordable, but they don’t give money to it, which means that by the end of the demo period AD will again be left without a keen eye. That did not suit me at the root.
')

A little bit

As is well known in the security policies in the Windows OS of all stripes, there is an opportunity to conduct an audit of events. This audit allows you to automatically generate entries in the Event Log in the Security log. Audit can be conducted for several types of events, for example: login, access to objects, account management, change policies and more. Total 9 types of events. This is a basic audit. Starting with Windows 7 and Windows Server 2008R2, the number of audit events has increased to 53. With the help of which it is possible to conduct more detailed audit of only the necessary events. More information on advanced audit policies can be found here .
But as it is known to those who have ever looked at EventLog in the security section - to find something there - if not impossible, then at least it is very difficult.

Idea...

And then the idea was born ... since Windows is able to create a record in the EventLog about the event that has occurred, then theoretically this information can be obtained. One “but” ... this log is painfully large in order to search for the necessary event manually, and over time, if you do not limit the size of the log, it can grow into dozens of gigabytes, which in itself is no longer good. So it is necessary to solve the problem of finding the necessary information in the EventLog automatically. Fortunately, each type of event (for example, creating a user account) has its own ID by which it can be found.
So to solve the search problem, we only need to find this event in the journal.
For Powershell 2.0, there is a special cmdlet for working with EventLog, Get-WinEvent .
Using this cmdlet, you can get a specific entry in the EventLog.

Implementation

Suppose we specified in the group policies that are applied to the domain controllers, to audit the events associated with the accounts.
Then any action with an account created in AD will generate an event that will create an EventLog record with a specific identifier. For example, if you add a computer to the domain on the domain controller where this operation was performed, an entry with ID ID 4741 appears in the EventLog in the Security log, which will indicate at what time who and what computer added to the domain.
To get the last event with the given identifier, use the Powershell query:

Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4741} 

But unfortunately the output format wants to leave better, because A lot of unnecessary information, such as security identifiers, a bunch of attributes.

 TimeCreated : 12.07.2012 14:02:19 ProviderName : Microsoft-Windows-Security-Auditing Id : 4741 Message :    . :  : S-1-5-21-451469775-2953165952-2320738315-500   : administrator   : DOMAIN  : 0xb3acf    :  : S-1-5-21-451469775-2953165952-2320738315-2979   : TEST$   : DOMAIN :    SAM: TEST$  : -   : -  : -  : -   : -   : -   : -   : <>     : <>   : 515  : -   UAC: 0x0   UAC: 0x85    :    "  " -  "    " -   : -  SID: -  : <  > DNS- : -   : -  : Privileges - 

We are also interested in the most basic information: Time, who created, the name of the computer. To do this, we will “slightly” correct our request:

 Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4741} | Select TimeCreated,@{n=””;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.'#text'}}},@{n=” ”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SamAccountName”}| %{$_.'#text'}}} 

As a result, the result of this query will be information convenient for the eye:

 TimeCreated : 12.07.2012 14:02:19  : administrator   : TEST$ 

This request treats an event in an EventLog as an XML object. And selects the values ​​we need, i.e. Time (TimeCreated), Operator and Computer Name.

As you can see the code is not quite readable. To be able to work with events, Windows Eventlog has a special .Net class that can parse each event into substrings, and since Powershell, in fact, is .NET, these capabilities are also available in it.

For example, this code parses the event by substring:

 Get-Eventlog Security -InstanceId 4768| Select TimeGenerated,ReplacementStrings | % { New-Object PSObject -Property @{ UserName = $_.ReplacementStrings[0] IPAddress = $_.ReplacementStrings[9] Date = $_.TimeGenerated } } 

As a result, we get something like this:

 Date : 12.07.2012 14:02:19 Username : administrator IPAddress : 10.10.10.1 

This code is much easier to read.

Consider in more detail requests.

Option 1 (the request treats the event as XLM):

If you open any entry in EventLog, you will see 2 tabs: General and details.
If you go to the “details” tab and select the view mode: “XML mode”, you will see the structure of the event in the form of XML.
Parse this event as XML and select the values ​​we need: In the Event.EventData.Data section in the parameter under the name SubjectUserName the name of the user who created the computer is hidden, and in the parameter under the name SamAccountName the name of the computer created.

Option 2 (parsing for substrings):

In the same way, we open the event as XML, find the Event.EventData.Data section, and count the lines (starting with 0) - these are the indices of our substrings. We find the string with the value we need, and we consider what it is in the account.

Now you need somewhere to display this information, not to store it in the console.
And even better if it will be sent to the administrator, for example, by mail.
In Powershell 2.0, you can console install SMTP sessions and send emails.
Send-MailMessage is a cmdlet that performs this function.
To send a message, you need to specify the SMTP server, the sender's address, the recipient's address, the message body, the subject of the letter, the user name and password.
As a result, we will receive the following request, which will search for the last event under the identifier ID = 4741 and send information to the administrator by mail.

 #     $Theme = “    ” #     ,     . $Subject = “ ” #   $Server = “mail.domain.ru” # SMTP  $From = “audit@domain.ru” #   $To = “admin@domain.ru” #  $pass = ConvertTo-SecureString “PASSWORD” -AsPlainText -Force #    $cred = New-Object System.Management.Automation.PSCredential(“AUDIT” , $pass) #    $encoding = [System.Text.Encoding]::UTF8 #  UTF8        #    .       ID.     Body. $Body=Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4741} | Select TimeCreated,@{n=””;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.'#text'}}},@{n=” ”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SamAccountName”}| %{$_.'#text'}}} | select-object -first 1 # . Send-MailMessage -From $From -To $To -SmtpServer $server -Body “$Theme `n$BodyM” -Subject $Subject -Credential $cred -Encoding $encoding 

Total

We save this script to a file with ps1 extension, for example, here: D: \ Scripts \ ADCompAdd.ps1
Open the Powershell console.
Type the command: Set-ExecutionPolicy Unrestricted

Click “Y” and Enter. Thus, we allow the execution of Powershell scripts on the server.
Drag the script into the console (Drag and Drop) and press Enter. We check that the script has run without errors (i.e. no red text appears in the console). We check mail for a new message that contains the data we need.

It remains only to force the launch of this script at the moment when the event occurred.
Here we will come to the aid of "Task Scheduler."
The scheduler has the ability to react to a specific event in the EventLog.
We create a task, where in the trigger we indicate to respond to the event at number 4741 that appears in the Security log.
We also indicate that it is necessary to run this script. To do this, we indicate in the “actions” that we want to launch the program, in the “Program or Script” field we write “ powershell ”. In the field “Add arguments (optional)” we write ” -nologo -noprofile -File“ D: \ Scripts \ ADCompAdd.ps1 ″ ”

Now we are testing how the created structure works. Create a test computer in any unit in AD. And check the mail for the message.

The script is not quite safe. contains a username and password in clear text, so I strongly recommend that if you decide to use this script, then use accounts to send messages with a minimum set of rights.

According to my measurements, the reaction time to the event is 1 second. Those. from the time of creation to the receipt of the letter, 1 second passes. Of course, provided that you use your local mail server, and not anywhere on the Internet. There delay may be longer. But in general, not too high.

As a result, taking this script as a basis and changing the event number in it and the data that you need to get out of the event, you can monitor all operations with accounts in AD: create-delete, disable-enable, lock-unlock., Add to groups and exceptions and stuff. In general, any event monitoring that allows you to audit Windows. It is just necessary to change the XML filter in the request, to do this, view the required event in the XML mode, select the necessary values ​​and enter them into the request filter.

PS:

Here are some useful event identifiers for Windows Server 2008R2:

ID = 4741 Creating a computer in the domain

ID = 4743 Removing the computer from the domain

ID = 4728 Add to security group

ID = 4729 Remove from security group

ID = 4720 Create user

ID = 4726 Delete user

ID = 4740 Account Lockout

ID = 4767 Unlock Account

ID = 4722 Enable Account

ID = 4725 Disable account