-
Notifications
You must be signed in to change notification settings - Fork 55
/
QueryDC.cs
77 lines (65 loc) · 2.38 KB
/
QueryDC.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
using System;
using System.Diagnostics.Eventing.Reader;
using System.Security;
namespace SharpSniper
{
class QueryDC
{
public static string QueryRemoteComputer(string username, string domain,
string dc, string dauser = "", string dapass = "")
{
bool credentialed = true;
if (dauser == string.Empty && dapass == string.Empty)
credentialed = false;
string queryString =
"*[System[(EventID=4624)] and " +
"EventData[Data[@Name='TargetUserName']='" +
username + "']]"; // XPATH Query
EventLogSession session;
if (credentialed)
{
SecureString pw = GetPassword(dapass);
session = new EventLogSession
(
dc, // Remote Computer
domain, // Domain
dauser, // Username
pw,
SessionAuthentication.Default
);
pw.Dispose();
}
else
{
session = new EventLogSession(dc); // Remote Computer
}
// Query the Application log on the remote computer.
EventLogQuery query = new EventLogQuery("Security", PathType.LogName,
queryString);
query.Session = session;
EventLogReader reader = new EventLogReader(query);
EventRecord eventRecord;
string result = String.Empty;
while ((eventRecord = reader.ReadEvent()) != null)
{
result = eventRecord.FormatDescription();
}
// Display event info
return result;
}
public static SecureString CreateSecureString(string inputString)
{
SecureString secureString = new SecureString();
foreach (Char character in inputString)
{
secureString.AppendChar(character);
}
return secureString;
}
public static SecureString GetPassword(string highpass)
{
SecureString pw_bef = CreateSecureString(highpass);
return pw_bef;
}
}
}