From c583fd43116e7342e71bcef134c473d4d3006722 Mon Sep 17 00:00:00 2001 From: binnychan Date: Mon, 29 Mar 2021 14:59:59 +0800 Subject: [PATCH 1/3] Update block-brute-force-windows-attack-attempts.ps1 --- block-brute-force-windows-attack-attempts.ps1 | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/block-brute-force-windows-attack-attempts.ps1 b/block-brute-force-windows-attack-attempts.ps1 index ab276f2..d5e0d1d 100644 --- a/block-brute-force-windows-attack-attempts.ps1 +++ b/block-brute-force-windows-attack-attempts.ps1 @@ -1,6 +1,8 @@ #Checks for IP addresses that used incorrect password more than 10 times #within 24 hours and blocks them using a firewall rule 'BlockAttackers' +$logPath = '.\blocked.txt' + #Check only last 24 hours $DT = [DateTime]::Now.AddHours(-24) @@ -23,15 +25,21 @@ $arRemote = $ar.RemoteAddresses -split(',') $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } #Add the new IPs to firewall rule +$c = 0 $w| %{ if ($ar.RemoteAddresses -eq '*') { - $ar.remoteaddresses = $_.Name + $ar.RemoteAddresses = $_.Name }else{ - $ar.remoteaddresses += ',' + $_.Name + $ar.RemoteAddresses += ',' + $_.Name } + $c += 1 } #Write to logfile -if ($w.length -gt 1) { - $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'} +$t = $arRemote.Length +if ($c -gt 1) { + $w| %{(Get-Date).ToString() + ' ' + $_.Name >> $logPath} + $t += $c } + +(Get-Date).ToString() + ' Summary : ' + $c + '/' + $t + ' Added ' >> $logPath From e83b4565dedbfe531411027c33b36e9544c4f972 Mon Sep 17 00:00:00 2001 From: binnychan Date: Mon, 29 Mar 2021 15:28:19 +0800 Subject: [PATCH 2/3] Update block-brute-force-windows-attack-attempts.ps1 --- block-brute-force-windows-attack-attempts.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block-brute-force-windows-attack-attempts.ps1 b/block-brute-force-windows-attack-attempts.ps1 index d5e0d1d..d4a28d0 100644 --- a/block-brute-force-windows-attack-attempts.ps1 +++ b/block-brute-force-windows-attack-attempts.ps1 @@ -37,7 +37,7 @@ $w| %{ #Write to logfile $t = $arRemote.Length -if ($c -gt 1) { +if ($c -gt 0) { $w| %{(Get-Date).ToString() + ' ' + $_.Name >> $logPath} $t += $c } From 4ce5b0ca706114969037f9eac366a50bead5cfd8 Mon Sep 17 00:00:00 2001 From: Binny Chan Date: Fri, 28 Apr 2023 09:20:55 +0800 Subject: [PATCH 3/3] Update block-brute-force-windows-attack-attempts.ps1 Added suspected IP reporting --- block-brute-force-windows-attack-attempts.ps1 | 37 +++++++++++++------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/block-brute-force-windows-attack-attempts.ps1 b/block-brute-force-windows-attack-attempts.ps1 index d4a28d0..76334e7 100644 --- a/block-brute-force-windows-attack-attempts.ps1 +++ b/block-brute-force-windows-attack-attempts.ps1 @@ -1,16 +1,21 @@ -#Checks for IP addresses that used incorrect password more than 10 times -#within 24 hours and blocks them using a firewall rule 'BlockAttackers' +#Checks for IP addresses that used incorrect password more than '$blockCount' times +#within '$lastHour' hours and blocks them using a firewall rule 'BlockAttackers' +#'BlockAttackers' required to create manually $logPath = '.\blocked.txt' +$logContent = '' +$blockCount = 3 +$eventDateTime = $(Get-Date -format yyyyMMdd`-HHmmss) +$lastHour = 24 #Check only last 24 hours -$DT = [DateTime]::Now.AddHours(-24) +$DT = [DateTime]::Now.AddHours(-$lastHour) #Select Ip addresses that has audit failure -$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } +$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]}}, TimeGenerated -#Get ip adresses, that have more than 10 wrong logins -$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name +#Get ip adresses, that have more than $blockCount wrong logins +$g = $l | group-object -property IpAddress | where {$_.Count -gt $blockCount} #Get firewall object $fw = New-Object -ComObject hnetcfg.fwpolicy2 @@ -22,24 +27,32 @@ $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} $arRemote = $ar.RemoteAddresses -split(',') #Only collect IPs that aren't already in the firewall rule +$w = @() $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } #Add the new IPs to firewall rule $c = 0 -$w| %{ +$w | %{ if ($ar.RemoteAddresses -eq '*') { $ar.RemoteAddresses = $_.Name }else{ $ar.RemoteAddresses += ',' + $_.Name } + $logContent += $eventDateTime + ' ' + $_.Name + " as blocked " + $blockCount + " time(s) failed within " + $lastHour + " hour(s) @ " + $w.Group[0].TimeGenerated.ToString("yyyyMMdd`-HHmmss") + "`r`n" $c += 1 } -#Write to logfile -$t = $arRemote.Length +#Report Summary if ($c -gt 0) { - $w| %{(Get-Date).ToString() + ' ' + $_.Name >> $logPath} - $t += $c + $logContent += $eventDateTime + ' Summary : ' + $c + '/' + $t + ' Added' +}else{ + $logContent += $eventDateTime + ' ' + $l[0].IpAddress + " as suspected @ " + $l[0].TimeGenerated.ToString("yyyyMMdd`-HHmmss") } -(Get-Date).ToString() + ' Summary : ' + $c + '/' + $t + ' Added ' >> $logPath +#Write to eventlog when blocked +if ($c -gt 0) { + Write-EventLog -LogName Application -Source "BlockRDP" -EntryType Information -EventId 0 -Category 0 -Message $logContent +} + +#Write to logfile +$logContent >> $logPath