Description
This PowerShell script retrieves authentication logs (Event ID 4624, 4634) from a target system, supporting both impersonation and credential-based access. It extracts key details like usernames, domains, logon type, and IP addresses.
Overview
This PowerShell script retrieves authentication event logs (Event ID 4624 and 4634) from a target system’s Security log. It supports two authentication modes: using an impersonation method or providing a username and password. The script allows specifying the maximum number of events to fetch and extracts key details, such as usernames, domain names, logon type, and IP addresses, from the logs.
Parameters
| Name | Type | Description |
|---|---|---|
| Target | string | The IP address or hostname of the system to query. |
| Username | string | The local or domain username to authenticate with. |
| Password | string | The password for the specified user. |
| Max | int | The maximum number of events to retrieve. |
| Sort | string | The way in which to order the events. |
| ExcludeUserFilter | string[] | A set of filters to remove users from the output. |