Tuesday, December 1, 2020

Get Zerlologons CVE-2020-1472 using PowerShell

Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...

More infos about this topic and how to handle the update process:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

You can change the event to find other objects like trusts etc.

# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------


# Prepare Variables
Param (
        [parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
        [parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)

# Create an Array to hold the values
$InsecureNetLogons = @()

# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}

# Loop through each event
ForEach ($Event in $Events) {
    $eventXML = [xml]$Event.ToXml()
    $Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
    # Add Them To a Row in our Array
    $Row = "" | select Client
    $Row.Client =$Client
    # Add the row to our Array
    $InsecureNetLogons += $Row    
}

# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView

No comments:

Post a Comment