-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCrossDomainAuthCheck.R
58 lines (51 loc) · 2.91 KB
/
CrossDomainAuthCheck.R
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#Reads in CSV based on WinEvent 4768, selects column containing Username, Domain, IP.
#Compares the IP and domain of a workstation with a domain of a service account utilizing the same IP to determine if
#there is any cross domain authenticaion attempts happening.
#Use at own risk; Tyler Williams - [email protected]; 20180506
# :{
ReformatIPs <- function(df, column_name)
{
ipv4_index <- grepl("^::ffff:", df[,column_name])
df$upper[ipv4_index] <- strtoi(paste("0x",sub("^::ffff:(.{0,4}):(.{0,4})", "\\1", df[ipv4_index,column_name]), sep=""))
df$lower[ipv4_index] <- strtoi(paste("0x",sub("^::ffff:(.{0,4}):(.{0,4})", "\\2", df[ipv4_index,column_name]), sep=""))
df$octet2[ipv4_index] <- bitwAnd(df$upper[ipv4_index],0xff)
df$octet1[ipv4_index] <- bitwShiftR(df$upper[ipv4_index],8)
df$octet4[ipv4_index] <- bitwAnd(df$lower[ipv4_index],0xff)
df$octet3[ipv4_index] <- bitwShiftR(df$lower[ipv4_index],8)
df[ipv4_index,column_name] <- paste(df$octet1[ipv4_index], df$octet2[ipv4_index], df$octet3[ipv4_index], df$octet4[ipv4_index],sep=".")
return(df[,column_name])
}
old <- Sys.time()
setwd("dir/contains/csv/")
inputfile = "KerbEventsEnterpriseQueryData.csv"
outputfile = "Rscript_ON_TESTDATA.csv"
csv_read_in <- read.csv(file=inputfile, stringsAsFactors = FALSE)
print(Sys.time())
csv_read_in$IP_WINDOWSEVENT <- ReformatIPs(csv_read_in, "IP_WINDOWSEVENT")
csv_read_in$HOSTNAME_TARGET <- toupper(csv_read_in$HOSTNAME_TARGET)
#stripping unused fields to help speed up the analysis
csv_read_in <- within(csv_read_in, rm("Data.Type"))
csv_read_in <- within(csv_read_in, rm("IS_GROUP"))
csv_read_in <- within(csv_read_in, rm("COUNT"))
csv_read_in <- within(csv_read_in, rm("Visibility"))
csv_read_in <- within(csv_read_in, rm("Id"))
csv_read_in <- within(csv_read_in, rm("Timestamp"))
print("StripCol")
print(new <- Sys.time() - old)
#Normalizing IP and Strippingdomain down to lowestlevel
csv_read_in <- unique(csv_read_in[,1:3]) #dedupes exact same rows
csv_read_in$IP_WINDOWSEVENT <- ReformatIPs(csv_read_in, "IP_WINDOWSEVENT")
#csv_read_in$HOSTNAME_TARGET <- sub("#thing to normalize hostname if needed#",'',csv_read_in$HOSTNAME_TARGET)
csv_read_in$HOSTNAME_TARGET <- toupper(csv_read_in$HOSTNAME_TARGET)
print("NormData")
print(new <- Sys.time() - old)
#building subsets of items that match criteria
svcNames <- subset(csv_read_in, grepl("*svc|service*", USERNAME_TARGET, ignore.case = TRUE))
wrkstationNames <- subset(csv_read_in, grepl("*\\$", USERNAME_TARGET, ignore.case = TRUE))
print("SubsetBuilder")
print(new <- Sys.time() - old)
checkMatch <- c("Domain","IP","Names")
for(xlen in 1:length(svcNames)){if(match <- grep(svcNames$IP_WINDOWSEVENT[xlen],wrkstationNames$IP_WINDOWSEVENT)){if(svcNames$HOSTNAME_TARGET[xlen] != wrkstationNames$HOSTNAME_TARGET[match]){checkMatch <- rbind(checkMatch,(paste(svcNames[xlen,],wrkstationNames[match,])))}}}
write.csv(checkMatch,outputfile, row.names = FALSE)
new <- Sys.time() - old
print(new)