1+ # Mr.Un1k0d3r RingZer0 Team
2+
13function Search-EventForUser {
2- # Mr.Un1k0d3r - RingZer0 Team 2016
3- # Search for a user through the events
4-
4+
55 param (
66 [Parameter (Mandatory = $True , ValueFromPipeline = $true )]
77 [string ]$TargetUser ,
@@ -10,6 +10,8 @@ function Search-EventForUser {
1010 [Parameter (Mandatory = $False )]
1111 [switch ]$FindDC = $False ,
1212 [Parameter (Mandatory = $False )]
13+ [switch ]$FullMessage = $False ,
14+ [Parameter (Mandatory = $False )]
1315 [string ]$Username ,
1416 [Parameter (Mandatory = $False )]
1517 [string ]$Password
@@ -25,7 +27,7 @@ function Search-EventForUser {
2527 PROCESS {
2628 [System.Collections.ArrayList ]$dcs = @ ()
2729 if ($FindDC ) {
28- Write-Output " [+] Enumrating all the DCs"
30+ Write-Output " [+] Enumerating all the DCs"
2931 ForEach ($dc in [DirectoryServices.ActiveDirectory.Domain ]::GetCurrentDomain().DomainControllers) {
3032 Write-Output " [+] DC found: $ ( $dc.Name ) "
3133 $dcs.Add ($dc.Name ) | Out-Null
@@ -48,13 +50,18 @@ function Search-EventForUser {
4850 if ($data ) {
4951 ForEach ($entry in $data ) {
5052 Write-Output " `n [+] Event found"
51- ForEach ($Line in $entry.Message.Split (" `n "
52- $Line | Select-String - Pattern " Account Name:"
53- $Line | Select-String - Pattern " Account Domain:"
54- $Line | Select-String - Pattern " Security ID:"
55- $Line | Select-String - Pattern " Source Network Address:"
56- $Line | Select-String - Pattern " Workstation Name:"
57- $Line | Select-String - Pattern " Process Name:"
53+
54+ If ($FullMessage ) {
55+ Write-Output $entry.Message
56+ } Else {
57+ ForEach ($Line in $entry.Message.Split (" `n "
58+ $Line | Select-String - Pattern " Account Name:"
59+ $Line | Select-String - Pattern " Account Domain:"
60+ $Line | Select-String - Pattern " Security ID:"
61+ $Line | Select-String - Pattern " Source Network Address:"
62+ $Line | Select-String - Pattern " Workstation Name:"
63+ $Line | Select-String - Pattern " Process Name:"
64+ }
5865 }
5966 }
6067 } else {
0 commit comments