-
Notifications
You must be signed in to change notification settings - Fork 18
/
LoginAudit.xml
74 lines (72 loc) · 2.36 KB
/
LoginAudit.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2017-10-29T05:14:59.4392963</Date>
<Author>jacauc</Author>
<URI>\Login Audit</URI>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">
*[System[EventID=4624]
and
EventData[Data[@Name='LogonType'] != '4']
and
EventData[Data[@Name='LogonType'] != '5']
and
EventData[Data[@Name='SubjectUserSid']!='S-1-0-0']
and
EventData[Data[@Name='TargetDomainName']!='Window Manager']
and
EventData[Data[@Name='TargetDomainName']!='Font Driver Host']
and
( System[TimeCreated[timediff(@SystemTime) &lt;= 60000]])
]
or
*[System[EventID=4625]
and
EventData[Data[@Name='LogonType'] != '4']
and
EventData[Data[@Name='LogonType'] != '5']
and
( System[TimeCreated[timediff(@SystemTime) &lt;= 60000]])
]
</Select></Query></QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-3911950312-3420160509-134503256-1001</UserId>
<LogonType>Password</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>powershell</Command>
<Arguments>C:\Users\Jacques\LoginAudit.ps1</Arguments>
</Exec>
</Actions>
</Task>