Skip to content

Binnychan enhancement 20230428 #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
binnychan wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Binnychan enhancement 20230428 #4

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c583fd4
Update block-brute-force-windows-attack-attempts.ps1
binnychan Mar 29, 2021
e83b456
Update block-brute-force-windows-attack-attempts.ps1
binnychan Mar 29, 2021
4ce5b0c
Update block-brute-force-windows-attack-attempts.ps1
binnychan Apr 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 33 additions & 12 deletions block-brute-force-windows-attack-attempts.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,21 @@
#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'
#Checks for IP addresses that used incorrect password more than '$blockCount' times
#within '$lastHour' hours and blocks them using a firewall rule 'BlockAttackers'
#'BlockAttackers' required to create manually

$logPath = '.\blocked.txt'
$logContent = ''
$blockCount = 3
$eventDateTime = $(Get-Date -format yyyyMMdd`-HHmmss)
$lastHour = 24

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)
$DT = [DateTime]::Now.AddHours(-$lastHour)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]}}, TimeGenerated

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name
#Get ip adresses, that have more than $blockCount wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt $blockCount}

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2
Expand All @@ -20,18 +27,32 @@ $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = @()
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
$c = 0
$w | %{
if ($ar.RemoteAddresses -eq '*') {
$ar.remoteaddresses = $_.Name
$ar.RemoteAddresses = $_.Name
}else{
$ar.remoteaddresses += ',' + $_.Name
$ar.RemoteAddresses += ',' + $_.Name
}
$logContent += $eventDateTime + ' ' + $_.Name + " as blocked " + $blockCount + " time(s) failed within " + $lastHour + " hour(s) @ " + $w.Group[0].TimeGenerated.ToString("yyyyMMdd`-HHmmss") + "`r`n"
$c += 1
}

#Write to logfile
if ($w.length -gt 1) {
$w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
#Report Summary
if ($c -gt 0) {
$logContent += $eventDateTime + ' Summary : ' + $c + '/' + $t + ' Added'
}else{
$logContent += $eventDateTime + ' ' + $l[0].IpAddress + " as suspected @ " + $l[0].TimeGenerated.ToString("yyyyMMdd`-HHmmss")
}

#Write to eventlog when blocked
if ($c -gt 0) {
Write-EventLog -LogName Application -Source "BlockRDP" -EntryType Information -EventId 0 -Category 0 -Message $logContent
}

#Write to logfile
$logContent >> $logPath