From 2f3379042f2ebc1885770d298bd7e84f29fbf9db Mon Sep 17 00:00:00 2001 From: Ttt Date: Mon, 2 Mar 2026 17:23:13 +0800 Subject: [PATCH] fix:Web utils fix --- logs/stderr.log | 112 ++++++++++++++++ logs/stdout.log | 212 +++++++++++++++++++++++++++++++ rdp_login_success_script.ps1 | 2 +- rdp_login_success_script_new.ps1 | 179 ++++++++++++++++++++++++++ 4 files changed, 504 insertions(+), 1 deletion(-) create mode 100644 logs/stderr.log create mode 100644 logs/stdout.log create mode 100644 rdp_login_success_script_new.ps1 diff --git a/logs/stderr.log b/logs/stderr.log new file mode 100644 index 0000000..b3fc9df --- /dev/null +++ b/logs/stderr.log @@ -0,0 +1,112 @@ +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + +Send-DingTalkMessage : ? 钉钉消息发送失败: 找不到类型 [System.Web.HttpUtility]。 +所在位置 E:\data\workspace\powershell\rdp_login_success_script.ps1:154 字符: 25 ++ Send-DingTalkMessage -消息内容 $消息内容 ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-DingTalkMessage + diff --git a/logs/stdout.log b/logs/stdout.log new file mode 100644 index 0000000..60451cb --- /dev/null +++ b/logs/stdout.log @@ -0,0 +1,212 @@ +======================================== + 服务器登录监控服务已启动 +======================================== +服务器名称: DESKTOP-B3O1605 +启动时间: 2026-03-02 17:07:16 +监控类型: 所有远程桌面相关登录(类型3、7、10) +检查间隔: 5秒 +======================================== + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:53:41 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:53:40 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:53:14 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:53:13 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:45:50 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:45:49 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:43:17 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:43:16 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:29:14 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:29:12 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:14:11 + +[17:07:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:14:09 + +[17:07:49] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 17:07:45 + +[17:07:49] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 17:07:43 + +[17:09:27] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 17:09:25 + +[17:09:27] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 17:09:23 +[17:10:04] 监控运行中,已监控到 16 次登录 +[17:15:01] 监控运行中,已监控到 16 次登录 +======================================== + 服务器登录监控服务已启动 +======================================== +服务器名称: DESKTOP-B3O1605 +启动时间: 2026-03-02 17:21:17 +监控类型: 所有远程桌面相关登录(类型3、7、10) +检查间隔: 5秒 +======================================== + +[17:21:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 17:09:25 +? 钉钉消息发送成功: ok + +[17:21:18] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 17:09:23 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 17:07:45 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 17:07:43 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:53:41 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:53:40 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:53:14 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:53:13 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:45:50 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:45:49 +? 钉钉消息发送成功: ok + +[17:21:19] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:43:17 +? 钉钉消息发送成功: ok + +[17:21:20] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:43:16 +? 钉钉消息发送成功: ok + +[17:21:20] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 会话解锁 (远程会话解锁) + 来源IP: 115.236.13.24 + 时间: 16:29:14 +? 钉钉消息发送成功: ok + +[17:21:20] 检测到新的远程登录 + 用户: DESKTOP-B3O1605\xiang + 类型: 网络登录(含NLA身份验证) (使用NLA验证的RDP连接) + 来源IP: 115.236.13.24 + 时间: 16:29:12 +? 钉钉消息发送成功: ok diff --git a/rdp_login_success_script.ps1 b/rdp_login_success_script.ps1 index eba88a6..53fd613 100644 --- a/rdp_login_success_script.ps1 +++ b/rdp_login_success_script.ps1 @@ -21,7 +21,7 @@ function Send-DingTalkMessage { $hmacsha.key = [Text.Encoding]::UTF8.GetBytes($DingTalkSecret) $signature = $hmacsha.ComputeHash([Text.Encoding]::UTF8.GetBytes($stringToSign)) $signatureBase64 = [Convert]::ToBase64String($signature) - $encodedSignature = [System.Web.HttpUtility]::UrlEncode($signatureBase64) + $encodedSignature = [System.Net.WebUtility]::UrlEncode($signatureBase64) # 瀹屾暣鐨勮姹俇RL $fullUrl = "$DingTalkWebhookUrl×tamp=$timestamp&sign=$encodedSignature" diff --git a/rdp_login_success_script_new.ps1 b/rdp_login_success_script_new.ps1 new file mode 100644 index 0000000..53fd613 --- /dev/null +++ b/rdp_login_success_script_new.ps1 @@ -0,0 +1,179 @@ +锘# 鏈嶅姟鍣ㄧ櫥褰曠洃鎺ц剼鏈 - 瀹屾暣鐗堬紙鐩戞帶鎵鏈塕DP鐩稿叧鐧诲綍绫诲瀷锛 +# 鐩戞帶杩滅▼妗岄潰鐧诲綍骞堕氳繃閽夐拤鏈哄櫒浜烘帹閫侀氱煡锛堟敮鎸佸姞绛撅級 + +param ( + [string]$DingTalkWebhookUrl = "https://oapi.dingtalk.com/robot/send?access_token=d28bd09159097d9cc5793a183990927ce637bd8addafb5e4586e2687ca317039", + [string]$DingTalkSecret = "SECd4bf3fb7703bd2826896deefa68d579e9945a67058ee9047ac5f8757ae800729" +) + +# 閽夐拤娑堟伅鍙戦佸嚱鏁帮紙鏀寔鍔犵锛 +function Send-DingTalkMessage { + param( + [string]$娑堟伅鍐呭 + ) + + try { + # 璁$畻绛惧悕 + $timestamp = [DateTimeOffset]::Now.ToUnixTimeMilliseconds() + $stringToSign = "$timestamp`n$DingTalkSecret" + + $hmacsha = New-Object System.Security.Cryptography.HMACSHA256 + $hmacsha.key = [Text.Encoding]::UTF8.GetBytes($DingTalkSecret) + $signature = $hmacsha.ComputeHash([Text.Encoding]::UTF8.GetBytes($stringToSign)) + $signatureBase64 = [Convert]::ToBase64String($signature) + $encodedSignature = [System.Net.WebUtility]::UrlEncode($signatureBase64) + + # 瀹屾暣鐨勮姹俇RL + $fullUrl = "$DingTalkWebhookUrl×tamp=$timestamp&sign=$encodedSignature" + + $body = @{ + msgtype = "text" + text = @{ + content = $娑堟伅鍐呭 + } + } | ConvertTo-Json -Depth 10 + + $response = Invoke-RestMethod -Uri $fullUrl -Method Post -Body $body -ContentType "application/json; charset=utf-8" + Write-Host "鉁 閽夐拤娑堟伅鍙戦佹垚鍔: $($response.errmsg)" -ForegroundColor Green + } catch { + Write-Error "鉁 閽夐拤娑堟伅鍙戦佸け璐: $_" + } +} + +# 鐧诲綍绫诲瀷璇存槑 +$鐧诲綍绫诲瀷璇存槑 = @{ + "2" = "浜や簰寮忕櫥褰曪紙鏈湴鎺у埗鍙帮級" + "3" = "缃戠粶鐧诲綍锛堝惈NLA韬唤楠岃瘉锛" + "4" = "鎵瑰鐞嗭紙璁″垝浠诲姟锛" + "5" = "鏈嶅姟鐧诲綍" + "7" = "浼氳瘽瑙i攣" + "8" = "缃戠粶鏄庢枃锛堝IIS鍩烘湰璁よ瘉锛" + "9" = "鏂板嚟璇侊紙RunAs锛" + "10" = "杩滅▼浜や簰锛圧DP鏃燦LA锛" + "11" = "缂撳瓨浜や簰锛堝煙鍑嵁缂撳瓨锛" +} + +# 绋嬪簭鍚姩淇℃伅 +Write-Host "========================================" -ForegroundColor Cyan +Write-Host " 鏈嶅姟鍣ㄧ櫥褰曠洃鎺ф湇鍔″凡鍚姩" -ForegroundColor Cyan +Write-Host "========================================" -ForegroundColor Cyan +Write-Host "鏈嶅姟鍣ㄥ悕绉: $env:COMPUTERNAME" -ForegroundColor Yellow +Write-Host "鍚姩鏃堕棿: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor Yellow +Write-Host "鐩戞帶绫诲瀷: 鎵鏈夎繙绋嬫闈㈢浉鍏崇櫥褰曪紙绫诲瀷3銆7銆10锛" -ForegroundColor Yellow +Write-Host "妫鏌ラ棿闅: 5绉" -ForegroundColor Yellow +Write-Host "========================================" -ForegroundColor Cyan + +# 璁板綍涓婃妫鏌ョ殑鏃堕棿 +$涓婃妫鏌ユ椂闂 = (Get-Date).AddHours(-1) +# 璁板綍宸插彂閫佽繃鐨勭櫥褰曚簨浠讹紝閬垮厤閲嶅閫氱煡 +$宸查氱煡浜嬩欢 = @{} + +# 涓诲惊鐜 +while ($true) { + try { + # 鑾峰彇鏂扮殑鐧诲綍浜嬩欢锛圗vent ID 4624锛 + $浜嬩欢鍒楄〃 = Get-WinEvent -FilterHashtable @{ + LogName = 'Security' + ID = 4624 + StartTime = $涓婃妫鏌ユ椂闂 + } -ErrorAction SilentlyContinue + + foreach ($浜嬩欢 in $浜嬩欢鍒楄〃) { + # 瑙f瀽浜嬩欢XML + $浜嬩欢Xml = [xml]$浜嬩欢.ToXml() + + # 鑾峰彇鐧诲綍绫诲瀷 + $鐧诲綍绫诲瀷 = ($浜嬩欢Xml.Event.EventData.Data | Where-Object {$_.Name -eq "LogonType"}).'#text' + + # 鐩戞帶鎵鏈夊彲鑳界殑杩滅▼妗岄潰鐩稿叧鐧诲綍绫诲瀷锛3(NLA楠岃瘉)銆7(瑙i攣)銆10(浼犵粺RDP) + if ($鐧诲綍绫诲瀷 -eq "3" -or $鐧诲綍绫诲瀷 -eq "7" -or $鐧诲綍绫诲瀷 -eq "10") { + # 鑾峰彇鐧诲綍淇℃伅 + $鐢ㄦ埛鍚 = ($浜嬩欢Xml.Event.EventData.Data | Where-Object {$_.Name -eq "TargetUserName"}).'#text' + $鍩熷悕 = ($浜嬩欢Xml.Event.EventData.Data | Where-Object {$_.Name -eq "TargetDomainName"}).'#text' + $鏉ユ簮IP = ($浜嬩欢Xml.Event.EventData.Data | Where-Object {$_.Name -eq "IpAddress"}).'#text' + $鐧诲綍鏃堕棿 = $浜嬩欢.TimeCreated + $璁板綍ID = $浜嬩欢.RecordId + $鐧诲綍GUID = ($浜嬩欢Xml.Event.EventData.Data | Where-Object {$_.Name -eq "LogonGuid"}).'#text' + + # 杩囨护鏈湴IP鍜屾棤鏁圛P + $鏈夋晥IP = $鏉ユ簮IP -and $鏉ユ簮IP -ne "127.0.0.1" -and $鏉ユ簮IP -ne "::1" -and $鏉ユ簮IP -ne "-" + + if ($鏈夋晥IP) { + # 鐢熸垚鍞竴鏍囪瘑锛岄伩鍏嶉噸澶嶉氱煡 + $浜嬩欢鏍囪瘑 = "$璁板綍ID-$鏉ユ簮IP-$鐢ㄦ埛鍚" + + if (-not $宸查氱煡浜嬩欢.ContainsKey($浜嬩欢鏍囪瘑)) { + # 娓呯悊杩囨棫鐨勮褰曪紝閬垮厤鍐呭瓨婧㈠嚭 + if ($宸查氱煡浜嬩欢.Count -gt 1000) { + $宸查氱煡浜嬩欢.Clear() + } + + # 澶勭悊绌哄煙鍚 + if ([string]::IsNullOrEmpty($鍩熷悕) -or $鍩熷悕 -eq "-") { + $鍩熷悕 = $env:COMPUTERNAME + } + + # 鑾峰彇鐧诲綍绫诲瀷璇存槑 + $绫诲瀷璇存槑 = if ($鐧诲綍绫诲瀷璇存槑.ContainsKey($鐧诲綍绫诲瀷)) { + $鐧诲綍绫诲瀷璇存槑[$鐧诲綍绫诲瀷] + } else { + "鏈煡绫诲瀷($鐧诲綍绫诲瀷)" + } + + # 娣诲姞棰濆璇存槑 + $棰濆璇存槑 = "" + if ($鐧诲綍绫诲瀷 -eq "3") { + $棰濆璇存槑 = "锛堜娇鐢∟LA楠岃瘉鐨凴DP杩炴帴锛" + } elseif ($鐧诲綍绫诲瀷 -eq "7") { + $棰濆璇存槑 = "锛堣繙绋嬩細璇濊В閿侊級" + } elseif ($鐧诲綍绫诲瀷 -eq "10") { + $棰濆璇存槑 = "锛堜紶缁烺DP杩炴帴锛" + } + + # 鏋勫缓閽夐拤娑堟伅 + $娑堟伅鍐呭 = @" +銆愭湇鍔″櫒鐧诲綍鍛婅銆 +鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣 +馃彚 鏈嶅姟鍣細$env:COMPUTERNAME +馃搮 鏃堕棿锛$($鐧诲綍鏃堕棿.ToString('yyyy-MM-dd HH:mm:ss')) +馃懁 鐢ㄦ埛锛$鍩熷悕\$鐢ㄦ埛鍚 +馃攽 鐧诲綍绫诲瀷锛$绫诲瀷璇存槑 $棰濆璇存槑 +馃寪 鏉ユ簮IP锛$鏉ユ簮IP +馃摑 璁板綍ID锛$璁板綍ID +鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣鈹佲攣 +"@ + + # 鏄剧ず鏃ュ織 + Write-Host "`n[$(Get-Date -Format 'HH:mm:ss')] 妫娴嬪埌鏂扮殑杩滅▼鐧诲綍" -ForegroundColor Yellow + Write-Host " 鐢ㄦ埛: $鍩熷悕\$鐢ㄦ埛鍚" -ForegroundColor White + Write-Host " 绫诲瀷: $绫诲瀷璇存槑 $棰濆璇存槑" -ForegroundColor Cyan + Write-Host " 鏉ユ簮IP: $鏉ユ簮IP" -ForegroundColor White + Write-Host " 鏃堕棿: $($鐧诲綍鏃堕棿.ToString('HH:mm:ss'))" -ForegroundColor White + + # 鍙戦侀拤閽夐氱煡 + Send-DingTalkMessage -娑堟伅鍐呭 $娑堟伅鍐呭 + + # 璁板綍宸查氱煡 + $宸查氱煡浜嬩欢[$浜嬩欢鏍囪瘑] = $true + } + } + } + } + + # 鏇存柊涓婃妫鏌ユ椂闂 + $涓婃妫鏌ユ椂闂 = Get-Date + + # 鏄剧ず杩愯鐘舵侊紙姣5鍒嗛挓鏄剧ず涓娆★級 + if (((Get-Date).Minute % 5) -eq 0 -and (Get-Date).Second -lt 5) { + Write-Host "[$(Get-Date -Format 'HH:mm:ss')] 鐩戞帶杩愯涓紝宸茬洃鎺у埌 $($宸查氱煡浜嬩欢.Count) 娆$櫥褰" -ForegroundColor Gray + } + + # 绛夊緟5绉掑悗缁х画妫鏌 + Start-Sleep -Seconds 5 + + } catch { + Write-Error "鐩戞帶杩囩▼鍙戠敓閿欒: $_" + Write-Host "绛夊緟10绉掑悗閲嶈瘯..." -ForegroundColor Red + Start-Sleep -Seconds 10 + } +} \ No newline at end of file