Someday I needed to access my desktop at home from a office remotely. I configured RDP allowance setting on it which is Windows 10 before leaving home and noted the public IP address. So I could log in into my desktop over Remote Desktop Service. By the way I came up with how much my desktop was secure during the opening.
Extract Login Failed Windows Event Log
Firstly I extracted Windows Event Logs where ID is 4625 with the following PowerShell commands.
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625 } |
ForEach-Object {
New-Object PSObject -Property ([ordered]@{
TimeCreated = $_.TimeCreated.ToString("yyyy-MM-dd hh:mm:ss")
User = $_.Properties[5].Value
LogonType = $_.Properties[10].Value
SourceIP = $_.Properties[19].Value
})
} | Export-Csv -Path C:\Work\EventLogs-4625.csv
Given the raw data including date and time, and source IP address, we can make a timeline graph as below. As you can see in the graph, the maximum login attack attempts was about 350 times in a hour.
I realized that threat actors are working hard to find any vulnerable system. In addution, you can download the raw data. EventLogs-4625
Extract Login Succeeded Windows Event Log
To make sure who unknown logged in my system, we can check Windows Event Log where ID is 4624. Here is a sample PowerShell script to extract the Windows Event Log.
$args = @{}
$args.Add("StartTime", ((Get-Date).AddHours(-24)))
$args.Add("EndTime", (Get-Date))
$args.Add("LogName", "Security")
$args.Add("Id", 4624)
Get-WinEvent -FilterHashtable $args | ForEach-Object {
New-Object PSObject -Property ([ordered]@{
TimeCreated = $_.TimeCreated
User = $_.Properties[5].Value
LogonType = $_.Properties[8].Value
LogonProcessId = $_.Properties[16].Value
LogonProcess = $_.Properties[17].Value
WorkstationName = $_.Properties[18].Value
SourceIP = $_.Properties[19].Value
})
} | Where-Object LogonType -eq 7 | Format-Table
Practical Security 