WindowsSecEvents
Powershell Function for querying Morpheus Related Windows Security Events while troubleshooting AD Identity Sources.
The functions are available in Github here
To load the script Dot Source the WindowsSecEvents.ps1 file into an elavated Powershell session
PS> . .\WindowsSecEvents.ps1
NOTE to run these Powershell Scripts the account must be an Administrator with access to query the Security Event log on the target computer. When querying the Domain Controller Security log the user will most likely be a Domain Admin.
Loading Directly from GitHub URL
It is possible to load these Functions directly from GitHub if your Endpoint has an Internet connection. Use the following Powershell to download and Install a Dynamic Module directly from a GitHub Url
$Uri = "https://raw.githubusercontent.com/spottsmorpheus/WindowsSecEvents/main/src/WindowsSecEvents.ps1"
$ProgressPreference = "SilentlyContinue"
# Load Powershell code from GitHub Uri and invoke as a temporary Module
$Response = Invoke-WebRequest -Uri $Uri -UseBasicParsing
if ($Response.StatusCode -eq 200) {
$Module = New-Module -Name "WindowsSecEvents" -ScriptBlock ([ScriptBlock]::Create($Response.Content))
}
About the Functions
Get-WindowsAuditEvent
Use this function to query the Windows Security Event log on the Domain Controller(s) used by the Morpheus Identity Source or on the Windows VM where you are running automation tasks. You will most likely need to be Domain Admins to query the Security Log and the scripts are designed to be run interactively in an elevated Windows Powershell session. The function takes in a Computer parameter which can be used to remotely query the Security log on a comma separated list of Computernames. See the GitHub README.md for detailed parameters.
Get-WindowsRestartEvent
This function queries the Event logs on the local computer, or remote computer if -Computer is specified. It reports all the known restart events and can be filtered by either the last hour,day,week or month via the -InLast parameter. Output can optionally be returned in json format
Examples
Checking for Login Success Event 4624
To check for a successful login on Domain Controller MYDC01 by user morphuser in the last 5 minutes returning results as json
Get-WindowsAuditEvent -Recent 5 -Computer "MYDC01" -TargetUser "morphuser" -Eventlist @(4624) -AsJson
Login Failure Event 4625
To check for login failures on Domain Controller MYDC01 from appliance 10.10.10.10 in the last 20 minutes returning results as json
In this example below the check the Status,SubStatus and FailureReason. In this example the accounts password must be changed on the next login preventing the account logging into Morpheus
Get-WindowsAuditEvent -Recent 20 -Computer "MYDC01" -IPAddress "10.10.10.10" -Eventlist @(4625) -AsJson
{
"RecordId": 51599589,
"TimeCreated": "2023-09-21T00:54:10.668",
"Id": 4625,
"MachineName": "MYDC01.example.com",
"TargetUserName": "morphuser",
"TargetDomainName": "EXAMPLE",
"IpAddress": "10.10.10.10",
"IpPort": "37372",
"Status": "User is required to change password at next logon",
"SubStatus": "Status OK",
"FailureReason": "The specified account password has expired.",
"EventData": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "MYDC01$",
"SubjectDomainName": "EXAMPLE",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "morphuser",
"TargetDomainName": "EXAMPLE",
"Status": "0xc0000224",
"FailureReason": "The specified account password has expired.",
"SubStatus": "0x0",
"LogonType": "3",
"LogonProcessName": "Advapi ",
"AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"WorkstationName": "MYDC01",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": "0",
"ProcessId": "0x298",
"ProcessName": "C:\\Windows\\System32\\lsass.exe",
"IpAddress": "10.10.10.10",
"IpPort": "37372"
}
}
Get Default events for the last 5 minutes on Servers MYHOST01 and MYDC01 for user morphuser returning output as json
Get-WindowsAuditEvent -Recent 5 -Computer "MYHOST01, MYDC01" -TargetUser "morphuser" -AsJson
Generating an XML Search filter
Get-WindowsAuditEvent can be used to generate XML which can be used directly in Event Viewer. As an example
Get-WindowsAuditEvent -Recent 3 -IPAddress "10.10.10.10" -TargetUser "spotts" -AsXML
Using XML Query Filter: Paste this filter into Event Viewer to view events
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
Event[System[TimeCreated[timediff(@SystemTime)<=180000] and (EventID=4624 or EventID=4625 or EventID=4776 or EventID=4768 or EventID=4769)]][EventData[Data[@Name='IPAddress']='10.10.10.10' or Data[@Name='TargetUserName']='spotts']]
</Select>
</Query>
</QueryList>
- Copy the XML output by the Powershell Function
- Open Event Viewer. From the Actions menu select Filter current Log.
- Select the XML tab.
- Check the Edit query manually checkbox. Click Yes to acknowledge the warning
- Clear the current contents and paste in the XML output from the Powershell function
- Click OK
Refresh the Event Viewer as required to see the latest events matching the filter
Verifying Morpheus logins
Using these functions it is possible to confirm if a user has successfully been authenticated by the AD. For example if a user is unable to log into Morpheus and a 4625 message is logged (login failure) then this is likely to be an issue with the AD user account and the Status and FailureReason should point to where the issue is. However, if a user fails to log into Morpheus but the Security log returns a 4624 (login success) then the issue is likely to be within Morpheus and you should check the Identity Source properties and , if used, the Required Group to see if the user is in fact a member.