From e8289a291572f7382e453daa4e6c0922f163114a Mon Sep 17 00:00:00 2001 From: scriptos Date: Mon, 6 Nov 2023 19:42:58 +0100 Subject: [PATCH] Umzug ins neue Repo --- .../rdp-access-mail-notification.v1.ps1 | 92 ++++++++++++++++++ .../rdp-access-mail-notification.v2.ps1 | 52 ++++++++++ ...htigung bei RDP Anmeldung (AD Version).xml | Bin 0 -> 4382 bytes .../rdp-access-mail-notification.v3.ad.ps1 | 92 ++++++++++++++++++ ...gung bei RDP Anmeldung (Local Version).xml | Bin 0 -> 4226 bytes .../rdp-access-mail-notification.v3.local.ps1 | 63 ++++++++++++ 6 files changed, 299 insertions(+) create mode 100644 ad-version/.archiv/rdp-access-mail-notification.v1.ps1 create mode 100644 ad-version/.archiv/rdp-access-mail-notification.v2.ps1 create mode 100644 ad-version/Mailbenachrichtigung bei RDP Anmeldung (AD Version).xml create mode 100644 ad-version/rdp-access-mail-notification.v3.ad.ps1 create mode 100644 local-version/Mailbenachrichtigung bei RDP Anmeldung (Local Version).xml create mode 100644 local-version/rdp-access-mail-notification.v3.local.ps1 diff --git a/ad-version/.archiv/rdp-access-mail-notification.v1.ps1 b/ad-version/.archiv/rdp-access-mail-notification.v1.ps1 new file mode 100644 index 0000000..1637b78 --- /dev/null +++ b/ad-version/.archiv/rdp-access-mail-notification.v1.ps1 @@ -0,0 +1,92 @@ +# Konfigurationsparameter +$SMTPServer = "smtp.media-techport.int" +$FromName = "Media-Techport.DE | Notification Service" +$FromEmail = "noreply@media-techport.de" +$SecurityGroupDN = "CN=GG-MailAT_RDP-Access,OU=Benachrichtigungsgruppen,OU=Benutzergruppen,DC=media-techport,DC=int" + +# Überwachung der Ereignisprotokolle +$EventLogName = "Security" +$EventID = 1149 # Event ID für Anmeldungen + +# Filter für Ereignisse +$FilterXML = @" + + + + + +"@ + +# Funktion zum Senden von E-Mails +function Send-Email { + param( + [string]$To, + [string]$Subject, + [string]$Message, + [string]$GivenName, + [string]$Surname + ) + $EmailBody = @" + + + + + + + +

Logo-Schwarz

+

Hallo $GivenName $Surname,

+

$Message

+ + +"@ + + Send-MailMessage -SmtpServer $SMTPServer -From "$FromName <$FromEmail>" -To $To -Subject $Subject -Body $EmailBody -BodyAsHtml -Encoding "UTF8" +} + +# Hauptüberwachungsschleife +$events = Get-WinEvent -LogName $EventLogName -FilterXPath $FilterXML +foreach ($event in $events) { + $eventTime = $event.TimeCreated + $clientIP = $event.Properties[18].Value # IP-Adresse des Clients + $serverIP = $env:COMPUTERNAME # IP-Adresse des Servers + $user = $event.Properties[5].Value + $domain = $event.Properties[6].Value + + $userEmails = Get-ADGroupMember -Identity $SecurityGroupDN | Where-Object { $_.objectClass -eq "user" } | ForEach-Object { + $userDetails = Get-ADUser $_.DistinguishedName -Properties GivenName, Surname, EmailAddress + $GivenName = $userDetails.GivenName + $Surname = $userDetails.Surname + $EmailAddress = $userDetails.EmailAddress + [PSCustomObject]@{ + EmailAddress = $EmailAddress + GivenName = $GivenName + Surname = $Surname + } + } + + $emailMessage = @" +Es wurde eine Anmeldung per RDP auf dem Windows Server $serverIP registriert.

+Datum: $($eventTime.ToString('dd.MM.yyyy'))
+Uhrzeit: $($eventTime.ToString('HH:mm:ss'))
+Domäne: $domain
+Benutzer: $user
+IP-Adresse des Clients: $clientIP +"@ + foreach ($userDetail in $userEmails) { + Send-Email -To $userDetail.EmailAddress -Subject "RDP-Anmeldung auf $serverIP registriert" -Message $emailMessage -GivenName $userDetail.GivenName -Surname $userDetail.Surname + } +} diff --git a/ad-version/.archiv/rdp-access-mail-notification.v2.ps1 b/ad-version/.archiv/rdp-access-mail-notification.v2.ps1 new file mode 100644 index 0000000..4fea0bc --- /dev/null +++ b/ad-version/.archiv/rdp-access-mail-notification.v2.ps1 @@ -0,0 +1,52 @@ +# Konfigurationsparameter +$SMTPServer = "smtp.media-techport.int" +$FromName = "Media-Techport.DE | Notification Service" +$FromEmail = "noreply@media-techport.de" +$SecurityGroupDN = "CN=GG-MailAT_RDP-Access,OU=Benachrichtigungsgruppen,OU=Benutzergruppen,DC=media-techport,DC=int" + +# Funktion zum Senden von E-Mails +function Send-Email { + param( + [string]$To, + [string]$Subject, + [string]$Message + ) + + Send-MailMessage -SmtpServer $SMTPServer -From "$FromName <$FromEmail>" -To $To -Subject $Subject -Body $Message -BodyAsHtml -Encoding "UTF8" +} + +# Parameter aus dem Ereignisprotokoll auslesen +$eventID = 1149 # Event ID für RDP-Anmeldungen +$eventLogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + +$latestEvent = Get-WinEvent -LogName $eventLogName -FilterXPath "" | Select-Object -First 1 + +if ($latestEvent) { + $xml = [xml]$latestEvent.ToXml() + + if ($xml.Event.UserData) { + $user = $xml.Event.UserData.EventXML.Param1 + $domain = $xml.Event.UserData.EventXML.Param2 + $clientIP = $xml.Event.UserData.EventXML.Param3 + + $eventTime = $latestEvent.TimeCreated + $computerName = $latestEvent.MachineName + + $userEmails = Get-ADGroupMember -Identity $SecurityGroupDN | Where-Object { $_.objectClass -eq "user" } | ForEach-Object { + Get-ADUser $_.DistinguishedName -Properties EmailAddress | Select-Object -ExpandProperty EmailAddress + } + + $emailMessage = @" +Es wurde eine Anmeldung per RDP auf dem Windows Server $computerName registriert.

+Datum: $($eventTime.ToString('dd.MM.yyyy'))
+Uhrzeit: $($eventTime.ToString('HH:mm:ss'))
+Domäne: $domain
+Benutzer: $user
+IP-Adresse des Clients: $clientIP +"@ + + foreach ($email in $userEmails) { + Send-Email -To $email -Subject "RDP-Anmeldung auf $computerName registriert" -Message $emailMessage + } + } +} diff --git a/ad-version/Mailbenachrichtigung bei RDP Anmeldung (AD Version).xml b/ad-version/Mailbenachrichtigung bei RDP Anmeldung (AD Version).xml new file mode 100644 index 0000000000000000000000000000000000000000..3301d036011d57ac05219af26d7b9a99b38e16db GIT binary patch literal 4382 zcmd6rT~8ZF6o$`rrTzzti=?gO4?YT|HC9PL!4fo-m~sKRaIgaiV=S)&p}()ctL^ii zVc4Cup$?U*YQ@fa=FEG(&z#|}KbzLEu4Q&<6}z#%jrqQ?Ya7~zE!d*fY=yC6pY6&9 z%w|4+ZWEr7{b+Tb%uel`y;qJ@W4vHy3`)k|M<{FjzGl8|x2z4V$FEyf>$YSKo)x|t zeAj*NgmH2&)q=I`Yx@cbD%P|ExSWBIu|9@kaxZHe%#UE^w1IxhY5L5I&yp=$6`dNq zml!*|m(byRTjSlZA6#3F>qxW=MH5MKj3`II-n38fKZolW{4INHd-jL@V%v6NuaI-- z>%Y5Ag_F{!SchoV2IT~dE;X3KEDJ~cf;Jwed$@~?&23R-J ze8cP(YrnY^(X-#WUXf>%L^95AU&W2&I^zjZQ?~uK$I}q0Q_7Ss*m4`$yJ$23tA`!r z-A{Z=rt(^pS3AS*chG+DD3nAax052cWiLRS*iZJWqmAv(cA-%8yg+WPOjA_wM9-tV z;gP@ZF?8-Td+bglyJ|J{h?6WRqzW-1`v0@s-`O$NxpRN0dK@FOs)lUUbB&MfXELhm zalK(L$&UZt{x9u4)|5wjjCoYI$*c`(#3Hp~9h&zKu~c`TM^BU^tzL-6r`F1ms$6(H z(u-LUvPRYXsq7O~nwc3H6LFgE3&rp$HXot?06*pHA@k&~l&0do)7eq1cf~56=j|bg z$`$2X3*A(kt5oAqovYY&iOL)-yke_V=yj)AWYnpl>aA+M%IpeXYrI!kTj#y%SWAq{ zJkmAg7WK@f*(LJMJR3X2q%yAMIg}ygE%Rff6wWNVX|w~c!MmWy4+F6Dt&?_gZ&^jT zVnkUk-02-fR8dS@JNL)z^`gg`9+f(`<*~CF-rPfG)l2zXlC`0eyo&u(erHH<&5CmH z4vpHN4Baw)vb2wtB*mAaq*`u)o_VwlK)yw0@gMVUbHcxc-z$Dg3q{U_OVwf}#AmSN z^Dt65#P=FIi0d1^g3TV|Up%kAY-h@K6YB=OcUFGG%j+9Go(vIrN8B|*o%Q_n$kNwz31fNUdxKG_j zxg&`lo<&#W9#GX&W$+GBT-;N(@l%vVTxD65?`gf7*f>U1?m@}0g;eU-r?s1JM=DRb zM=Rz-c`eS1POP$+7)Ooe$Skv=ypYrPQ zd{QpuJ$gnj7SjF1{SETco0{WTCWG+J + + + + + + $HTMLBody + + +"@ + + Send-MailMessage -SmtpServer $SMTPServer -From "$FromName <$FromEmail>" -To $To -Subject $Subject -Body $emailMessage -BodyAsHtml -Encoding "UTF8" +} + +# Parameter aus dem Ereignisprotokoll auslesen +$eventID = 1149 # Event ID für RDP-Anmeldungen +$eventLogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + +$latestEvent = Get-WinEvent -LogName $eventLogName -FilterXPath "" | Select-Object -First 1 + +if ($latestEvent) { + $xml = [xml]$latestEvent.ToXml() + + if ($xml.Event.UserData) { + $user = $xml.Event.UserData.EventXML.Param1 + $domain = $xml.Event.UserData.EventXML.Param2 + $clientIP = $xml.Event.UserData.EventXML.Param3 + + $eventTime = $latestEvent.TimeCreated + $computerName = $latestEvent.MachineName + + $userEmails = Get-ADGroupMember -Identity $SecurityGroupDN | Where-Object { $_.objectClass -eq "user" } | ForEach-Object { + $userDetails = Get-ADUser $_.DistinguishedName -Properties GivenName, Surname, EmailAddress + $GivenName = $userDetails.GivenName + $Surname = $userDetails.Surname + $EmailAddress = $userDetails.EmailAddress + [PSCustomObject]@{ + EmailAddress = $EmailAddress + GivenName = $GivenName + Surname = $Surname + } + } + + foreach ($userDetails in $userEmails) { + $GivenName = $userDetails.GivenName + $Surname = $userDetails.Surname + $EmailAddress = $userDetails.EmailAddress + + $HTMLBody = @" + + + + + +

+

Hallo $GivenName $Surname,

+

Es wurde eine Anmeldung per RDP auf der Windows Maschine $computerName registriert.

Datum: $($eventTime.ToString('dd.MM.yyyy'))
Uhrzeit: $($eventTime.ToString('HH:mm:ss'))
Domäne: $domain
Benutzer: $user
IP-Adresse des Clients: $clientIP

+ + +"@ + + Send-Email -To $EmailAddress -Subject "RDP-Anmeldung auf $computerName registriert" -HTMLBody $HTMLBody + } + } +} diff --git a/local-version/Mailbenachrichtigung bei RDP Anmeldung (Local Version).xml b/local-version/Mailbenachrichtigung bei RDP Anmeldung (Local Version).xml new file mode 100644 index 0000000000000000000000000000000000000000..671034c4dc1b8cdf7d35cf148016cf759b710616 GIT binary patch literal 4226 zcmd6rT~8ZF6o$`rrTzzti=?gOk3cGt)>w4{DwaY*36u-S1;GR?Y-8;@5c=cWKJOWZ z-C5hzp;A??@a)cw_SZ-@Itg=?$vC5YCbXoIBS5pe|GUHgpu3#4Z7e+9C!&-~$5)XtP5-F<*A zJ@y^j4j2d6_M>w+aa(50$fnZo9Ij)2Yfdp>+ym1tW0(06yN1{^(tKxcKy(VvAr!wm zmgv#%U7sj9;t|s2?W%YYx^tcoEmfOuc^r+wo>HcC!G>FCaDrY#c=fS{y!x4UVXCf0 zyxJLdzlZjtN1qT)+**ppK>s_z;f*)R4MJrvy=_LLm? z@9qE8K449Gq|aDHb&u@Zpf)_CM!baP!+k6@-RIF0RWCJ5(fH6>HByxeizB_96(MU> z#UIK(QKgxglQEG`+kK%JKE>t}^dI7wf%C3!-*B#mcxl(~vxR;NPi`Rir7 zwB7eQ6=j$6IX2q?v#OG;Dr7zAgjW%E%6ATeD^?Wgw`kOZ%b1yrwYU7;xE^22CDn2h z?z#JP2Z5-+l( zqGXC!6*HGhNPP^46oWEYv8)qlaqP#_I`~|O<3647)pI|3cphC@df=+gB}aCM;_{xV zjUS>c^Hr`#d=Kl@#>O$C3J(gyCaBa6&uX{ajucO|6DsFJbuHbwP1N;ybRtykk*=lt zW+Nk7q{`(X%9Q8gx*?0nJFz$FQW+*5Q#rm3w~?ycf6Fb!7EYuCa16*J)xAFQ!>vZW zwW_kJx~#4Hhx)d(Qap}BisF!nxrFmR8650d)p{O9%43V0nmR$`CQ>(^8d29Cco;JFnUKxKDYtIG>bDMJJroafJ?9HTeq?{;9KQ z + + + + + + $HTMLBody + + +"@ + + Send-MailMessage -SmtpServer $SMTPServer -From "$FromName <$FromEmail>" -To $To -Subject $Subject -Body $emailMessage -BodyAsHtml -Encoding "UTF8" +} + +# Parameter aus dem Ereignisprotokoll auslesen +$eventID = 1149 # Event ID für RDP-Anmeldungen +$eventLogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + +$latestEvent = Get-WinEvent -LogName $eventLogName -FilterXPath "" | Select-Object -First 1 + +if ($latestEvent) { + $xml = [xml]$latestEvent.ToXml() + + if ($xml.Event.UserData) { + $user = $xml.Event.UserData.EventXML.Param1 + $domain = $xml.Event.UserData.EventXML.Param2 + $clientIP = $xml.Event.UserData.EventXML.Param3 + + $eventTime = $latestEvent.TimeCreated + $computerName = $latestEvent.MachineName + + $HTMLBody = @" + + + + + +

+

Hallo Patrick Asmus,

+

Es wurde eine Anmeldung per RDP auf der Windows Maschine $computerName registriert.

Datum: $($eventTime.ToString('dd.MM.yyyy'))
Uhrzeit: $($eventTime.ToString('HH:mm:ss'))
Domäne: $domain
Benutzer: $user
IP-Adresse des Clients: $clientIP

+ + +"@ + + Send-Email -To $ManualRecipient -Subject "RDP-Anmeldung auf $computerName registriert" -HTMLBody $HTMLBody + } +}