Created
November 10, 2021 10:37
-
-
Save f-bader/25b1441e2d2f5ce7a4f27efb0c6da62e to your computer and use it in GitHub Desktop.
KB5008383 introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| KB5008383 - Active Directory permissions updates (CVE-2021-42291) | |
| This update introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment | |
| The use of PowerShell Remoting makes it faster and better suiteable for restricted firewall setups | |
| #> | |
| $EventIds = @{ | |
| # https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1 | |
| # Events that occur when an LDAP Add operation is denied. | |
| 3044 = "Enforcement Mode - LDAP Add failures" | |
| 3045 = "Enforcement Mode - LDAP Add failures" | |
| # Events that occur when an LDAP Modify operation is denied. | |
| 3046 = "Enforcement Mode - LDAP Modify failures" | |
| # Events that occur in Audit mode to log potential security concerns with an LDAP Add or Modify operation. | |
| 3047 = "Audit Mode - Missing write permission" | |
| 3048 = "Audit Mode - nTSecurityDescriptor" | |
| 3049 = "Audit Mode - nTSecurityDescriptor" | |
| 3056 = "Audit Mode - sdRightsEffective returned WRITE_DAC" | |
| # Events that occur when bit 27 of the dSHeuristics attribute is changed, which changes the mode of the Additional AuthZ verifications for the LDAP Add operations portion of the update. | |
| 3050 = "Mode Change Events – Additional AuthZ verification for LDAP Add operations" | |
| 3051 = "Mode Change Events – Additional AuthZ verification for LDAP Add operations" | |
| 3052 = "Mode Change Events – Additional AuthZ verification for LDAP Add operations" | |
| # Events that occur when bit 28 of the dSHeuristics attribute is changed, which changes the mode of the temporary removal of Implicit Owner rights portion of the update. | |
| 3053 = "Mode Change Events – temporary removal of Implicit Owner rights" | |
| 3054 = "Mode Change Events – temporary removal of Implicit Owner rights" | |
| 3055 = "Mode Change Events – temporary removal of Implicit Owner rights" | |
| } | |
| $DomainController = Get-ADDomain | Select-Object -ExpandProperty ReplicaDirectoryServers | |
| foreach ($ComputerName in $DomainController) { | |
| $Events = Invoke-Command -ComputerName $ComputerName -ScriptBlock { param([string[]]$EventIds) $EventIds | Out-Null ; Get-WinEvent -EA 0 -FilterHashtable @{logname = 'Directory Service'; id = $EventIds } } -ArgumentList (,$EventIds.Keys) | |
| foreach ($Event in $Events) { | |
| [PSCustomObject]@{ | |
| TimeCreated = $Event.TimeCreated | |
| Id = $Event.Id | |
| EventGroup = $EventIds[$Event.Id] | |
| Reason = $Event.Message | |
| } | |
| } | |
| } |
@rayleiva08 of course, just store the output in a variable and then export it
$ExportData = foreach ($ComputerName in $DomainController) {
...
}
$ExportData | Export-Csv -Path .\MyFile.csv
@f-bader thank you that worked. is there a way to add the DC names to the report?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is great. Thank you for sharing. Any way that I can export the output to a CSV file?