Incident-Response-Powershell/Scripts/LastLogons.ps1 at main · ank0ku/Incident-Response-Powershell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# !!!!!!
# You need to run this script as administrator in order to get results.
# Define the number of last logons to retrieve
$numberOfLogons = 10

$logonEvents = Get-WinEvent -LogName 'Security' -FilterXPath "*[System[EventID=4624 or EventID=4648]]" | Select-Object -First $numberOfLogons

foreach ($logonEvent in $logonEvents) {
    $time = $logonEvent.TimeCreated
    $message = $logonEvent.Message
    $logonType = if ($logonEvent.Id -eq 4648) { "Explicit" } else { "Interactive" }

    Write-Host "Time: $time"
    Write-Host "Logon Type: $logonType"
    Write-Host "Message:"
    Write-Host $message
	Write-Host "------------------------"

}

# Note: This script retrieves logon events from the 'Security' log and filters by Event ID 4624 (successful logon) and 4648 (explicit logon).