Skip to content

Instantly share code, notes, and snippets.

@f-bader

f-bader/Audit-KB5008380-EventIds.ps1

Created November 10, 2021 10:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save f-bader/166a4534a6de3420303fbd3088440632 to your computer and use it in GitHub Desktop.
Save f-bader/166a4534a6de3420303fbd3088440632 to your computer and use it in GitHub Desktop.
Download ZIP
KB5008380 - Authentication updates (CVE-2021-42287)
Raw
Audit-KB5008380-EventIds.ps1
<#
KB5008380 - Authentication updates (CVE-2021-42287)
This update introduces additional Event Ids to monitor.
Use this script to check every domain controller for those eventIds
#>
$EventIds = @{
# https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
35 = "PAC without attributes"
36 = "Ticket without a PAC"
37 = "Ticket without Requestor"
38 = "Requestor Mismatch"
}
$DomainController = Get-ADDomain | Select-Object -ExpandProperty ReplicaDirectoryServers
foreach ($ComputerName in $DomainController) {
$Events = Invoke-Command -ComputerName $ComputerName -ScriptBlock { param([string[]]$EventIds) $EventIds | Out-Null ; Get-WinEvent -EA 0 -FilterHashtable @{LogName = 'System'; id = $EventIds } | Where-Object ProviderName -eq 'Microsoft-Windows-Kerberos-Key-Distribution-Center' } -ArgumentList (,$EventIds.Keys)
foreach ($Event in $Events) {
[PSCustomObject]@{
TimeCreated = $Event.TimeCreated
Id = $Event.Id
EventGroup = $EventIds[$Event.Id]
Reason = $Event.Message
}
}
}
@obelhassane
Copy link

obelhassane commented Mar 3, 2022
edited

Hello Bader,
Thanks for this script, it helped me a lot to analyse the KB.

However, I found a difficulty to analyze the events 37. In fact, as the message in the 37 Events contains very interesting information that should be isolated in other fields it was for me very difficult to analyse data as it's extracted.

So for me it's important to split the variable $Event.Message to extract the KDC, Client and Ticket variables (present at the end of the message Event after the line "for more information").
Could you please modify your script to add a specific processing for Events 37?

Here is what an Event 37 looks like (See the Message part):
Date : 22/11/2021 01:33:00
Id : 37
Group : Ticket without requester
Message : The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket when processing a request for another
another ticket. This prevented security checks from being performed and could lead to security breaches. See https://go.microsoft.com/fwlink/?linkid=2173051
for more information.

        Ticket PAC built by: XXXX19CDXX
        Client: WXXXXXXW\\XXXXXX
        Ticket for: XXXXXX

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment