Logga AD anslutningar mot en DC

Details: Category: PowerShell

Import-Module activedirectory

Write-Output "Förbereder...."

$ErrorActionPreference = "silentlycontinue"

$dclist = (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ } | Select-Object -ExpandProperty ipv4address

$ports2look4 = 445,135,389,636,3268,3269,88,53,123,464,137,139,138,9389

$Resultfile = "currentconnections.csv"

# Hur många minuter vill du logga

$looptime = 3

# Hur många sekunder vill du pausa mellan varje försök

$sleeptime = 10

$TimeStart = get-date

$TimeEnd = $TimeStart.AddMinutes($looptime)

if (!(test-path $resultfile)) {

out-file $resultfile -Encoding utf8

Add-Content $resultfile "LocalIP;PORT;RemoteIP;RemoteHostName;Service"

}

Write-Output "Letar efter anslutningar var $sleeptime sekund i $looptime minuter...."

{

$TimeNow = Get-Date

$connections = netstat -n | Select-String "ESTABLISHED"

$connections += netstat -n | Select-String "TIME_WAIT"

foreach ($connection in $connections)

{

$LocalIP = $null

$LocalPort = $null

$RemoteIP = $null

$RemotePort = $null

$RemoteName = $null

$Localservice = $null

$LocalIP = ((($connection -split '\s+')[2]) -split ":")[0].trim()

$LocalPort = ((($connection -split '\s+')[2]) -split ":")[1].trim()

$RemoteIP = ((($connection -split '\s+')[3]) -split ":")[0].trim()

$RemotePort = ((($connection -split '\s+')[3]) -split ":")[1].trim()

Switch ($LocalPort)

{

389 { $localService = "LDAP" }

135 { $localService = "RPC, EPM" }

636 { $localService = "LDAP SSL" }

3268 { $localService = "LDAP GC" }

3269 { $localService = "LDAP GC SSL" }

88 { $localService = "Kerberos" }

53 { $localService = "DNS" }

445 { $localService = "SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc" }

123 { $localService = "Windows Time" }

464 { $localService = "Kerberos change/set password" }

138 { $localService = "DFSN, NetLogon, NetBIOS Datagram Service" }

9389 { $localService = "AD DS Web Services, SOAP" }

137 { $localService = "NetLogon, NetBIOS Name Resolution" }

139 { $localService = "DFSN, NetBIOS Session Service, NetLogon" }

Default { $localService = "Okänd tjänst"}

}

if ($localip -notlike "127.0.0.1")

{

if ( $localport -notlike $null )

{

if ($dclist -notcontains $remoteip)

{

if ($ports2look4 -contains $localPort )

#if ($ports2look4 -contains $remotePort )

{

$kontroll = $null

$remotename = [System.Net.Dns]::GetHostentry($RemoteIP).hostname

$searchfor = "$localip;$localport;$remoteIP;$remotename;$localservice"

$kontroll = Get-Content $resultfile | Select-String $searchfor

if ($kontroll -eq $null)

{

Write-Output "Ny anslutning hittad: $remoteIP't$remotename't$localport"

Add-Content $resultfile "$localip;$localport;$remoteIP;$remotename;$localservice"

}

Start-Sleep -Seconds $sleeptime

}

Until ($timeNow -ge $TimeEnd)

Write-Output "Loop avslutad efter $looptime minuter"