PowerShell module to simplify configuring AD LDAP diagnostic logging
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
PSLDAPQueryLogging
LICENSE
README.md

README.md

PSLDAPQueryLogging

This module simplifies enabling the LDAP query diagnostic logging discussed by Mark Morowczynski.

This is a quick hit, didn't spend much time generalizing or testing. Pull requests would be welcome!

Functions:

  • Test-LDAPQueryLoggingPrerequisites : Check to see if a domain controller meets the prerequisites for this logging
  • Enable-LDAPQueryLogging : Enable diagnostic logging and set parameters as discussed by Mark
  • Get-LDAPQueryLogging : Check the current state, including whether logging is enabled, and parameter values.
  • Disable-LDAPQueryLogging : Disable diagnostic logging and set parameters back to defaults

Prerequisites:

  • Access to the domain controller
  • Server 2012 R2 or
  • Server 2008, 2008 R2, or 2012 with KB2800945
  • Directory Services event log size is large enough

Instructions

# Download PSLDAPQueryLogging
# https://github.com/RamblingCookieMonster/PSLDAPQueryLogging/archive/master.zip
# Unblock the archive
# Copy the PSLDAPQueryLogging module to one of your module paths ($env:PSModulePath -split ";")

# Import the module
    Import-Module PSLDAPQueryLogging -force

# Get commands from the module
    Get-Command -module PSLDAPQueryLogging

# Get help for a command
    Get-Help Test-LDAPQueryLoggingPrerequisites -Full
   
# Check if a domain controller has the prerequisites
Test-LDAPQueryLoggingPrerequisites -ComputerName DS1, DS2, DS3

# Enable logging temporarily on DS1 and DS2
Enable-LDAPQueryLogging -ComputerName DS1, DS2

# Verify the registry settings....
Get-LDAPQueryLogging -ComputerName DS1, DS2

# Collect your logs!
# Many ways to do this. Not PowerShell, but I find wevtutil to be quite fast.
Invoke-Command -ComputerName DS1, DS2 {wevtutil epl 'Directory Service' "\\$ENV:ComputerName\c$\$ENV:ComputerName-Evil.evtx"}

# Disable the logging...
Disable-LDAPQueryLogging -ComputerName DS1, DS2

# Parse events as desired, perhaps using Ming's script
    # https://gallery.technet.microsoft.com/scriptcenter/Event-1644-reader-Export-45205268

Example

Let's pretend LSASS is running a bit hot on all the domain controllers in your environment. This snippet will...

  • Get all domain controllers (ActiveDirectory module)
  • Enable diagnostic logging (prerequisites assumed)
  • Wait 10 minutes
  • Pull the eventlogs back to your system
  • Disable diagnostic logging
# Import the module
    Import-Module PSLDAPQueryLogging -force

# Get domain controllers
$DCs = Get-ADDomainController -Filter * | Select -ExpandProperty Name

# Enable logging temporarily on the domain controllers
# We set search time threshold covering queries under over 30 ms (default is 100 ms)
$DCs | Enable-LDAPQueryLogging -SearchTimeThreshold 30

# Wait a bit
"$(Get-Date): Sleeping 10 minutes..."
Start-Sleep -Seconds (10*60)

# Collect your logs!
# Many ways to do this. Not PowerShell, but I find wevtutil to be quite fast.
$Comp = $ENV:ComputerName
Invoke-Command -ComputerName $DCs -ScriptBlock {wevtutil epl 'Directory Service' "\\$Using:Comp\c$\$ENV:ComputerName-Evil.evtx"}

# Disable the logging...
$DCs | Disable-LDAPQueryLogging

# Parse events as desired, perhaps using Ming's script
    # https://gallery.technet.microsoft.com/scriptcenter/Event-1644-reader-Export-45205268
    dir C:\*evil.evtx

Notes:

Thanks to Shay Levy for PSRemoteRegistry. To reduce dependencies, we borrow two functions from that module. PSRemoteRegistry should be in your toolbelt : )

Thanks to Mark Morowczynski, Ming Chen, and anyone else who contributed to the great write-up on this topic

Keep in mind there are other tools out there. SPA, AD data collector sets, etc.

Stuff that might be fun:

  • Collect the logs. wevtutil epl seems to be the fastest.
  • Parse the logs. Maybe leave this to the script from Ming Chen. Would be nice to have this analysis without COM though...
  • Add rudimentary tests
  • Clean up code and output