CyberDrain.com - Detect failed logons

I’m having trouble with CyberDrain’s detect failed logons script from the community library.

It’s throwing the following errors:

error> System.InvalidOperationException: A circular reference was detected while serializing an object of type 'System.Management.Automation.PSParameterizedProperty'.
error> Stack:
error>   at ConvertTo-Json20, C:\ProgramData\Syncro\bin\module.psm1: line 310
error>   at Call-SyncroApiEx, C:\ProgramData\Syncro\bin\module.psm1: line 262
error>   at Call-SyncroApi, C:\ProgramData\Syncro\bin\module.psm1: line 242
error>   at Rmm-Alert, C:\ProgramData\Syncro\bin\module.psm1: line 32
error>   at <ScriptBlock>, C:\ProgramData\Syncro\bin\a49a4363-8649-49c9-9502-84fcfdfab756.ps1: line 22
error>   at <ScriptBlock>, <No file>: line 1
error>   at <ScriptBlock>, <No file>: line 1
error> Call-SyncroApi: failure
Call-SyncroApi: success

I’m no PowerShell expert. Does anyone here have any ideas what is causing the errors? Is anyone running this script successfully?

Looks like it’s an issue with the RMM-Alert line. I would try removing the processing from that command and add quotes to see if that helps, so replace the one line with two:

$EventObject = $EventObject | out-string
Rmm-Alert -Category 'Brute force attempt' -Body "$EventObject"
1 Like

I was able to duplicate your results. Delete your script and pull down a new copy. This time use the IMPORT SCRIPT button in the upper right. You are missing all of the system variables.

1 Like

Hi, i’m not OP but i get the same error as him, even after deleting and reimporting the script

Thank guys. Importing the script resulted in the same errors. Isaac’s suggestion to split the RMM-Alert line into 2 lines got rid of the error messages, but -Body doesn’t get updated with the $EventObject values.

This works fine for me (with the appropriate supplied variables)

Import-Module $env:SyncroModule

$Events = Get-WinEvent -FilterHashtable @{Logname = 'security'; ID = 4625; StartTime = [datetime]::Now.AddHours(-$hours) } -ErrorAction SilentlyContinue
$EventObject = foreach ($Event in $Events) {
    [xml]$evt = $event.toXML()
    $ReadableData = $evt.Event.EventData.Data | foreach-object -Begin { $h = @{} } -Process { $h.add($_.name, $_.'#text') } -end { New-Object -TypeName PSObject -Property $h }
    [PSCustomObject]@{
        "Subject User Name"  = $ReadableData.SubjectUserName
        "Target username"    = $ReadableData.TargetUserName
        "IP"                 = $readabledata.IpAddress
        "Domain Name"        = $ReadableData.TargetDomainName
        "Failure Reason"     = $ReadableData.Status
        "Sub failure reason" = $ReadableData.SubStatus

    }
}

if ($events.count -gt $Count) {
    $EventObject = $EventObject | out-string
    Rmm-Alert -Category 'Brute force attempt' -Body "$EventObject"
    if ($CreateTicket -eq "Yes"){
        Create-Syncro-Ticket -Subject "Brute force attempt" -IssueType "Security" -Status "New"
    }
}
1 Like

Sorry, Isaac. Your “2-line fix” does get rid of the errors and writes $EventObject to -Body appropriately in the Alert. I was looking for the $EventObject values in the ticket. I hadn’t had enough coffee when I replied last. Thank you for the help!!

can confirm, Isaacs 2 line fix is working, and his reply with the full script, too. Thank you very much!