Skip to content

Instantly share code, notes, and snippets.

@technion
Last active August 16, 2020 23:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save technion/e532f3c829b2c1299bb16c62979bde2c to your computer and use it in GitHub Desktop.
Save technion/e532f3c829b2c1299bb16c62979bde2c to your computer and use it in GitHub Desktop.
Search domain controllers for events relating to Netlogon vulnerability
# More information: https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Set-StrictMode -Version 2
# Fetch all Domain Controllers. Use this pattern to fetch from all sites.
$addomain = Get-ADDomain
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)"
foreach ($dc in $controllers) {
# Errors are ignored so as not to throw an exception if there are no such logs found
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore
}
# Enable: reg add HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v FullSecureChannelProtection /t REG_DWORD /d 1 /f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment