Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...
More infos about this topic and how to handle the update process:
You can change the event to find other objects like trusts etc.
# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------
# Prepare Variables
Param (
[parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
[parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)
# Create an Array to hold the values
$InsecureNetLogons = @()
# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}
# Loop through each event
ForEach ($Event in $Events) {
$eventXML = [xml]$Event.ToXml()
$Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
# Add Them To a Row in our Array
$Row = "" | select Client
$Row.Client =$Client
# Add the row to our Array
$InsecureNetLogons += $Row
}
# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView
No comments:
Post a Comment