Today a client noticed several thousand failed secuity attempts on their Terminal Server:
Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x5f8 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: SERVER01 Source Network Address: 124.166.240.111 Source Port: 56272 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): -
So after filtering the Event 4625 in event viewer I found I couldnt export the Source Network Address. So came up with this handy powershell script to export the IP to a csv:
$DT = [DateTime]::Now.AddDays(-1)
$logName = '{0}{1}_security4625_log_{2}.csv' -f "c:\temp\",
$DT.tostring("dd-MM-yyyy"), $env:Computername
Get-EventLog -LogName 'Security' `
-InstanceId 4625 `
-After $DT |
Select-Object @{
Name='TargetUserName'
Expression={$_.ReplacementStrings[5]}
},
@{
Name='WorkstationName'
Expression={$_.ReplacementStrings[1] -replace '\$$'}
},
@{
Name='IpAddress'
Expression={$_.ReplacementStrings[-2]}
},
@{
Name='IpPort'
Expression={$_.ReplacementStrings[-5]}
} |
Export-Csv -Path $logName
