Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Detection for exploitation and old TGT usage
<#
CVE-2021-42287 - Authentication updates
CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes
This updates introduced additional Event Ids to monitor.
Use this script to check every domain controller for those eventIds
#>
$EventIds = @{
35 = "PAC without attributes"
36 = "Ticket without a PAC"
37 = "Ticket without Requestor"
38 = "Requestor Mismatch"
16990 = "Object class and UserAccountControl validation failure"
16991 = "SAM Account Name validation failure"
}
$DomainController = Get-ADDomain | Select-Object -ExpandProperty ReplicaDirectoryServers
foreach ($ComputerName in $DomainController) {
$Events = Invoke-Command -ComputerName $ComputerName -ScriptBlock { param([string[]]$EventIds) $EventIds | Out-Null ; Get-WinEvent -EA 0 -FilterHashtable @{LogName = 'System'; id = $EventIds } | Where-Object { $_.ProviderName -in @('Microsoft-Windows-Kerberos-Key-Distribution-Center', 'Microsoft-Windows-Directory-Services-SAM') } } -ArgumentList (, $EventIds.Keys)
foreach ($Event in $Events) {
[PSCustomObject]@{
TimeCreated = $Event.TimeCreated
Id = $Event.Id
EventGroup = $EventIds[$Event.Id]
Reason = $Event.Message
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment