Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Detect Possible Ruler usage On Exchange and Domain Controller
Get-EventLog -InstanceId 4776 -LogName "Security" | ForEach-Object {
$sp = $_.message -split "`n"
$tmp = $sp | Select-String -Pattern 'RULER'
if($tmp.count -ge 1){
Write-Host "Possible Ruler usage at: " $_.TimeGenerated
$sp | Select-String -Pattern 'Logon Account:' | write-host
}
}
Get-EventLog -InstanceId 4624 -LogName "Security" | ForEach-Object {
$sp = $_.message -split "`n"
$tmp = $sp | Select-String -Pattern 'RULER'
if($tmp.count -ge 1){
Write-Host "Possible Ruler usage at: " $_.TimeGenerated
$sp | Select-String -Pattern 'New Logon:' -Context 0,3 | write-host
}
}
@nengkya
Copy link

nengkya commented Jun 9, 2017

What's this Sir ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment