Need help with a powershell script....

Greeting Experts,

Could some body take a look at this script below, for some reason when I set up a Scheduled Task and run it every 15 min (like the script indicates) it fails to send out email alert. Can somebody take a look t and see if there may be something wrong with it….. The base of the script is to look at the Event Viewer>Security for attempted log in logs “4625” & “4624” by the name “adagraig”. If so, then it will submit an email alert… and there my problem … for some reason it does not want to send the alert. Can somebody take a look and see if there something wrong.  

Note* I did verify with another script the "smtpserver and email address" vulnerabilities are correct.



# Created by Justin Henderson
# Last updated on 5/7/2015
#
# Set this to "Security" if being ran locally
# Set this to "Forwarded Events" if being used on a Windows Event Collector (Event Forwarding)
$EventLog = "Security"
# Set this to the reoccuring time frame of how often this script gets ran
# Example: if you run this every 15 minutes set it to 15
$Minutes = 15

$date = (Get-Date).AddMinutes(-($Minutes))
$logs = Get-EventLog $EventLog -After $date | Where-Object {$_.EventId -eq 4625 -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig" -or $_.EventId -eq 4624  -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig"}
$count = $logs.count

if ($count -gt 1){
    Write-Host "Sending email"
    $EmailFrom = "user@Domain.com"
    $EmailTo = "user@Domain.com" 
    $Subject = "HoneyToken Used" 
    $Body = "The MimikatzHoneyToken has been used. Pleased investigate immediately.  See below for more details." 
    $Body += $logs | ForEach-Object { $_.Message }
    $SMTPServer = "relay.Domain.com" 
    $SMTPClient = New-Object System.Net.Mail.SmtpClient($SmtpServer, 587) 
    $SMTPClient.EnableSsl = $true 
    $SMTPClient.Credentials = New-Object System.Net.NetworkCredential("Username", "Password"); 
    $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)

Open in new window

MikeSecurityAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zalazarCommented:
I do not know if it's a typo but at least the
}
is missing at the end of the script, which should be there to close the "if" statement.
zalazarCommented:
I checked the Eventlog check and this seems to work ok.
I also checked the mail part and if filled in the correct $EmailFrom, $EmailTo, $SMTPServer, "Username" and "Password" it works fine.

You probably already double checked the hostname in the Eventlog query.

To test you might temporary higher the $Minutes to e.g. 1440
In this way you would get all the events of a complete day.

Can you run the script from a PowerShell command prompt with Administrative permissions.
Do you see then the output "Sending email" in the console ?
MikeSecurityAuthor Commented:
No I don't see the "Sending Email" in the console .. So what would that tell you... Its not finding the error codes in the event viewer..???
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
Try this:
# Created by Justin Henderson
# Last updated on 5/7/2015
#
# Set this to "Security" if being ran locally
# Set this to "Forwarded Events" if being used on a Windows Event Collector (Event Forwarding)
$EventLog = "Security"
# Set this to the reoccuring time frame of how often this script gets ran
# Example: if you run this every 15 minutes set it to 15
$Minutes = 15

$date = (Get-Date).AddMinutes(-($Minutes))
$logs = Get-EventLog $EventLog -After $date | Where-Object {$_.EventId -eq 4625 -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig" -or $_.EventId -eq 4624  -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig"}
$count = $logs.count

if ($count -gt 1)
{
$username="FromUser@domain.com"
$password="password"
$credentials = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $username,($password | ConvertTo-SecureString)

$Body = "The MimikatzHoneyToken has been used. Pleased investigate immediately.  See below for more details." 
$Body += $logs | ForEach-Object { $_.Message }

$param = @{
    SmtpServer = 'relay.Domain.com'
    Port = 587
    UseSsl = $true
    Credential  = $credentials
    From = $username
    To = 'user@Domain.com'
    Subject = 'HoneyToken Used'
    Body = $Body
}
Send-MailMessage @param
}

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
Try in PS Console. What is the output when you run the following:
what is $count ?
$Minutes = 15
$date = (Get-Date).AddMinutes(-($Minutes))
$logs = Get-EventLog $EventLog -After $date | Where-Object {$_.EventId -eq 4625 -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig" -or $_.EventId -eq 4624  -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig"}
$count = $logs.count

Open in new window

zalazarCommented:
Yes that can be the case.
You might open the Security eventlog and lookup an Event ID there.
Fill in this Event ID in the script and also replace "adagraig" with a word that is part of the event message.
Then run the script again.

Also make sure that you run PowerShell with "Run as administrator".
This as the security eventlog can normally only be read by Administrators.
This also means that you have to create the scheduled task with the option
"Run with highest privileges" enabled.
MikeSecurityAuthor Commented:
I tired using the script you posted and keeps promoting for the username and password..... any ideas...
Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
# Created by Justin Henderson
# Last updated on 5/7/2015
#
# Set this to "Security" if being ran locally
# Set this to "Forwarded Events" if being used on a Windows Event Collector (Event Forwarding)
$EventLog = "Security"
# Set this to the reoccuring time frame of how often this script gets ran
# Example: if you run this every 15 minutes set it to 15
$Minutes = 15

$date = (Get-Date).AddMinutes(-($Minutes))
$logs = Get-EventLog $EventLog -After $date | Where-Object {$_.EventId -eq 4625 -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig" -or $_.EventId -eq 4624  -and $_.Message -match "WIN-IJTABGG5ILK" -and $_.Message -match "adagraig"}
$count = $logs.count

$username="FromUser@domain.com"
$password="password"

$credentials = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $username,($password | ConvertTo-SecureString)

if ($count -gt 1)
{

$Body = "The MimikatzHoneyToken has been used. Pleased investigate immediately.  See below for more details." 
$Body += $logs | ForEach-Object { $_.Message }

$param = @{
    SmtpServer = 'relay.Domain.com'
    Port = 587
    UseSsl = $true
    Credential  = $credentials
    From = $username
    To = 'user@Domain.com'
    Subject = 'HoneyToken Used'
    Body = $Body
}
Send-MailMessage @param
}

Open in new window

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Raheman, all you did was to move setting the credentials out of the "if count" block. This cannot make a difference at all.
The reason the script is prompting for credentials is because the credentials as provided are incomplete. You need to do more to provide a plain text password with the credentials.

However, amstoots, you should have seen that there is an error message pointing at the line setting the credentials (line 18 in the latest script). In PowerShell scripts (and many other languages) most time the first error message or prompt is the important one, not the last.
So that line should be:

$credentials = New-Object -TypeName System.Management.Automation.PSCredential($username,(ConvertTo-SecureString $password -Force -AsPlainText))

Open in new window


The -Port parameter requires PowerShell 3  or above, by the way.
zalazarCommented:
Did you already try what I suggested ?
I have tested your Original script and as said before it should work fine.
You should see the message "Sending email" when running the script.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
zalazar, with PS2 and above there is no need to use the SMTPClient class anymore. Of course it still works ;-).

amstoots, the better way is to use the event entry to trigger a mailing script directly. One way to accomplish that is by creating a filter view in Event Viewer, and attach a task to it.
zalazarCommented:
Qlemo, thanks for this. I'm actually aware and agree that the Send-MailMessage cmdlet is the better way to do it.
I was just wondering why the original script was not getting into the code to send the e-mail.
MikeSecurityAuthor Commented:
I used what you suggested Qlemo and the was able to get the script to work..... I replaced line 18 and was able to get alerts with no problem.... thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.