Link to home
Start Free TrialLog in
Avatar of David Sankovsky
David SankovskyFlag for Israel

asked on

Add Servers IP Address to pregenerated mail

Hi guys.
As part of a security audit I'm doing on our Virtual environment who was unfortunately badly maintained for a long, I'm trying to write a script that will send a message when a user is locked out.
I got that part, and the mail is sent.
However, since the mail is sent based on windows security event, it gets all the fields from that event. One of the fields is the hostname but as previously mentioned, the environment was very badly maintained for a long while and most servers don't have a reasonable hostname but rather the random auto-generated string the comes with a new OS.

I'm using the following script:
#--------------------------------------------------------------------------------- 
#The sample scripts are not supported under any Microsoft standard support 
#program or service. The sample scripts are provided AS IS without warranty  
#of any kind. Microsoft further disclaims all implied warranties including,  
#without limitation, any implied warranties of merchantability or of fitness for 
#a particular purpose. The entire risk arising out of the use or performance of  
#the sample scripts and documentation remains with you. In no event shall 
#Microsoft, its authors, or anyone else involved in the creation, production, or 
#delivery of the scripts be liable for any damages whatsoever (including, 
#without limitation, damages for loss of business profits, business interruption, 
#loss of business information, or other pecuniary loss) arising out of the use 
#of or inability to use the sample scripts or documentation, even if Microsoft 
#has been advised of the possibility of such damages 
#--------------------------------------------------------------------------------- 

Function Send-OSCLockOutUser
{
	param
	(
		
		[Parameter(Mandatory=$true,Position=0)]
	    [String]$From,
		[Parameter(Mandatory=$true,Position=1)]
	    [String[]]$To,
		[Parameter(Mandatory=$true,Position=2)]
	    [String]$SMTPServer,
		[Parameter(Mandatory=$true,Position=3)]
		[String]$UserName,
		[Parameter(Mandatory=$true,Position=4)]
		[String]$PassWord
	)
	try
	{	
		#Get newest event 4740
		$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1
		#Store the newest log into email boy
		$EmailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
		#Email subject
		$EmailSubj= "User Account locked out"
		#Create SMTP client
		$SMTPClient = New-Object Net.Mail.SMTPClient($SmtpServer)  
		$SMTPClient.EnableSSL = $true 
		#Get the credetials
		$SMTPClient.Credentials = New-Object System.Net.NetworkCredential($UserName, $PassWord); 
		#Create mailmessage object 
		$emailMessage = New-Object System.Net.Mail.MailMessage
		$emailMessage.From = "$From"
		Foreach($EmailTo in $To)
		{
		 $emailMessage.To.Add($EmailTo)
		}
		$emailMessage.Subject = $EmailSubj
		$emailMessage.Body = $EmailBody
		#Send email
		$SMTPClient.Send($emailMessage)
	}
	Catch
	{
		Write-Error $_
	}

}
Send-OSCLockOutUser -From ***l -To *** -SMTPServer *** -UserName *** -Password ***

Open in new window


I'm looking to somehow have the system include the IP Address as well in the email body, the email subject or both.
Any ideas how might I achieve that goal?
Avatar of McKnife
McKnife
Flag of Germany image
Avatar of David Sankovsky
David Sankovsky
Flag of Israel image

ASKER

I was actually able to solve it a bit before you posted the link. Thank you non the less.
I now have the following issue...
While my script does pull out all teh IP Addresses of the server, I need each one to be in a new line...
Any idea how to achieve that?
Edited script:
Function Send-OSCLockOutUser
{
	param
	(
		
		[Parameter(Mandatory=$true,Position=0)]
	    [String]$From,
		[Parameter(Mandatory=$true,Position=1)]
	    [String[]]$To,
		[Parameter(Mandatory=$true,Position=2)]
	    [String]$SMTPServer,
		[Parameter(Mandatory=$true,Position=3)]
		[String]$UserName,
		[Parameter(Mandatory=$true,Position=4)]
		[String]$PassWord
	)
	try
	{
        $AddrList= ipconfig /all |find "IPv4 Address"	
		#Get newest event 4740
		$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1
		#Store the newest log into email boy
		$EmailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated +$AddrList
		#Email subject
		$EmailSubj= "User Account locked out"
		#Create SMTP client
		$SMTPClient = New-Object Net.Mail.SMTPClient($SmtpServer)  
		$SMTPClient.EnableSSL = $true 
		#Get the credetials
		$SMTPClient.Credentials = New-Object System.Net.NetworkCredential($UserName, $PassWord); 
		#Create mailmessage object 
		$emailMessage = New-Object System.Net.Mail.MailMessage
		$emailMessage.From = "$From"
		Foreach($EmailTo in $To)
		{
		 $emailMessage.To.Add($EmailTo)
		}
		$emailMessage.Subject = $EmailSubj
		$emailMessage.Body = $EmailBody
		#Send email
		$SMTPClient.Send($emailMessage)
	}
	Catch
	{
		Write-Error $_
	}

}
Send-OSCLockOutUser -From *** -To *** -SMTPServer *** -UserName *** -Password ***

Open in new window


And this is the result I get:
A user account was locked out.

Subject:
        Security ID:            S-1-5-18
        Account Name:           WIN-U76V9VEDI38$
        Account Domain:         WORKGROUP
        Logon ID:               0x3e7

Account That Was Locked Out:
        Security ID:            S-1-5-21-3676354584-2506537772-2119928301-1011
        Account Name:           tester

Additional Information:
        Caller Computer Name:   WIN-U76V9VEDI38
        12/04/2016 15:06:24   IPv4 Address. . . . . . . . . . . : 10.0.0.196(Preferred)     IPv4 Address. . . . . . . . . . . : 10.0.4.253(Preferred)     IPv4 Address. . . . . . . . . . . : 10.0.5.196(Preferred)     IPv4 Address. . . . . . . . . . . : 192.168.0.123(Preferred)     IPv4 Address. . . . . . . . . . . : 192.168.1.123(Preferred)     IPv4 Address. . . . . . . . . . . : 10.0.4.251(Preferred)     Autoconfiguration IPv4 Address. . : 169.254.129.32(Preferred)     IPv4 Address. . . . . . . . . . . : 10.0.4.222(Preferred)     IPv4 Address. . . . . . . . . . . : 194.213.4.171(Preferred)     IPv4 Address. . . . . . . . . . . : 194.213.4.196(Preferred)
Avatar of Qlemo
Qlemo
Flag of Germany image
McKnife, the referred script just does almost the same as the original one. There is some talk about checking the user, but no related code; it just sends out the event content. Maybe that is the wrong link?
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arnold
arnold
Flag of United States of America image
Since you've seem to have resolved. Depending on your environment and currently you scan event logs after the fact, if there is a consideration for proactive notification including failed logins directly from the system onto which a login/access is attempted.
The Combination of enabling SNMP, snmptrapd server (receiver) on Linux/UNIX which will do the notification and evntwin/evntcmd to configure each system for the notification events along with GPO that sets SNMP parameters...


The snmptrap receiver/processor ....... Will convert the received event into the notification.
Avatar of McKnife
McKnife
Flag of Germany image
@Qlemo
The event content holds the IPs.
Avatar of Qlemo
Qlemo
Flag of Germany image
Not from what I have seen as example dumps of that event log entry. But I don't have any real-live one.
And if it were contained, the OP didn't have to ask for it.
Avatar of McKnife
McKnife
Flag of Germany image
Build up a test domain, see for yourself. We use that script, the IPs are there.
Avatar of arnold
arnold
Flag of United States of America image
The issue could be from which system the security event is from, a DC will report the workstation name and IP. The workstation's security event might not such that you will have two entries one from the DC saying workstationA/IP1 sent auth request that faIled for usera. The workstationA security event will not include its own IP in the message, i.e. in the top four lines workstationA eventID usera logon failed.

The lockout is a single event on one of the DCs that received the last failed attempt.

IMHO proactively catching the failed logon attempts with type (this will distinguish the type of access being sough, network, network resource etc that will be simpler to troubleshoot.)
When a user changes their password, they may have saved credentials or uses external devices where their password is saved and that leads to the lockout. Resuming a prior TS/RDP  session which used the old password ......

This could also be used to identify auth/brute force attacks by setting treshholds so many requests from the same source with differing username/credentials/...
Avatar of David Sankovsky
David Sankovsky
Flag of Israel image

ASKER

That did the trick perfectly. Thank you very much!
Avatar of McKnife
McKnife
Flag of Germany image
I guess I incorrectly assumed that you were about to run this in a domain. Because on a domain controller, the script we use does exactly what you want.