From 273ca4243001bdd0963f88f04bac10b5a8e1e7ee Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 16 Oct 2021 02:36:45 +0900 Subject: [PATCH] =?UTF-8?q?LiveAnalysys=E3=81=8C=E3=82=AA=E3=83=B3?= =?UTF-8?q?=E3=81=AE=E9=9A=9B=E3=81=ABSecuirty=E3=83=AD=E3=82=B0=E3=81=AE?= =?UTF-8?q?=E3=81=BF=E3=82=92=E7=A2=BA=E8=AA=8D=E3=81=99=E3=82=8B=E3=82=88?= =?UTF-8?q?=E3=81=86=E3=81=AB=E4=BF=AE=E6=AD=A3=20(#60)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Logon Timeline Bug: セキュリティ以外のタイムラインが作成されてしまう Fixes #58 * adapt autoformatter * change arraylist insert to add function * fixed typo * fixed argument check error * added filepath argument to logontimeline function * fixed processing evtxfiles when logfile is null * add warning in logfile or logdirectory is specified when liveanalysys * fixed output ERROR when set LogDirectory #58 * fix LiveAnalysys with LogDir or LogFile output condition #58 --- Config/Language/en.ps1 | 2 +- Config/Language/ja.ps1 | 4 ++-- WELA.ps1 | 42 ++++++++++++++++++++++++------------------ 3 files changed, 27 insertions(+), 21 deletions(-) diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1 index 3128ce14..9f376cc1 100644 --- a/Config/Language/en.ps1 +++ b/Config/Language/en.ps1 @@ -326,7 +326,7 @@ $Create_LogonTimeline_TypeOther = "Other Type Logons:" $Create_LogonTimeline_localComputer = "LOCAL" $Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis." -$Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile at the same time." +$Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile (or -LogDirectory) at the same time." $Error_InCompatible_LogDirAndFile = "Error:You cannot specify -LogDirectory and -LogFile at the same time." $Error_NotSupport_LiveAnalysys = "Error: Live Analysis is only supported on Windows" $Error_NeedAdministratorPriv = "Error: You need to be running Powershell as Administrator." diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1 index db147cc7..a22a45c5 100644 --- a/Config/Language/ja.ps1 +++ b/Config/Language/ja.ps1 @@ -328,13 +328,13 @@ $Create_LogonTimeline_TypeOther = "その他のタイプのログオン:" $Create_LogonTimeline_localComputer = "ローカル" $Warn_DC_LiveAnalysis = "注意:ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。" -$Error_InCompatible_LiveAnalysisAndLogFile = "エラー:「-LiveAnalysis」 と「-LogFile」を同時に指定できません。" +$Error_InCompatible_LiveAnalysisAndLogFile = "エラー:「-LiveAnalysis」 と「-LogFile」「-LogDirectory」を同時に指定できません。" $Error_InCompatible_LogDirAndFile = "エラー:「-LogDirectory」 と「-LogFile」を同時に指定できません。" $Error_NotSupport_LiveAnalysys = "エラー: ライブ調査はWindowsにしか対応していません。" $Error_NeedAdministratorPriv = "エラー: Powershellを管理者として実行する必要があります。" $Error_NoSaveOutputWithCSV = "エラー: 「-SaveOutput」を指定してください" $Error_NoNeedSaveOutputWithGUI = "エラー: 「-OutputGUI」と「-SaveOutput」を同時に指定できません。" -$Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "エラー: -LiveAnalysisまたは-LogFileを指定する必用があります。" +$Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "エラー: -LiveAnalysisまたは-LogFileを指定する必要があります。" #function Show-Contributors $Show_Contributors = diff --git a/WELA.ps1 b/WELA.ps1 index 0ebc6685..7c77ed57 100755 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -228,7 +228,7 @@ $TotalLogs = 0 $HostLanguage = Get-WinSystemLocale | Select-Object Name # en-US, ja-JP, etc.. -if ( $HostLanguage.Name -eq "ja-JP" -and $English -eq $true ){ +if ( $HostLanguage.Name -eq "ja-JP" -and $English -eq $true ) { Import-Module './Config/Language/en.ps1' -Force; } elseif ( $HostLanguage.Name -eq "ja-JP" -or $Japanese -eq $true ) { @@ -429,7 +429,7 @@ function Get-KerberosStatusStr { } function Create-LogonTimeline { - param([string] $UTCOffset) + param([string] $UTCOffset, [string] $filePath) # Notes: # Logoff events without corresponding logon events first won't be printed # The log service shutdown time is used for the shutdown time so might be wrong if the log service was turned off while the system was running. (anti-forensics, etc..) @@ -470,9 +470,9 @@ function Create-LogonTimeline { $WineventFilter.Add( "EndTime" , $EndTimeline ) } - $WineventFilter.Add( "Path", $LogFile ) - $filesize = Format-FileSize( (get-item $LogFile).length ) - $filesizeMB = (Get-Item $LogFile).length / 1MB + $WineventFilter.Add( "Path", $filePath ) + $filesize = Format-FileSize( (get-item $filePath).length ) + $filesizeMB = (Get-Item $filePath).length / 1MB $filesizeMB = $filesizeMB * 0.1 $ApproxTimeInSeconds = $filesizeMB * 60 @@ -481,7 +481,7 @@ function Create-LogonTimeline { $RuntimeMinutes = $TempTimeSpan.Minutes.ToString() $RuntimeSeconds = $TempTimeSpan.Seconds.ToString() - Write-Host ( $Create_LogonTimeline_Filename -f $LogFile ) # "File Name: {0}" + Write-Host ( $Create_LogonTimeline_Filename -f $filePath ) # "File Name: {0}" Write-Host ( $Create_LogonTimeline_Filesize -f $filesize ) # "File Size: {0}" Write-Host ( $Create_LogonTimeline_Estimated_Processing_Time -f $RuntimeHours, $RuntimeMinutes, $RuntimeSeconds ) # "Estimated processing time: {0} hours {1} minutes {2} seconds" @@ -1770,7 +1770,7 @@ if ( $LiveAnalysis -eq $true -and $IsDC -eq $true ) { exit } -if ( $LiveAnalysis -eq $true -and $LogFile -ne "" ) { +if ( $LiveAnalysis -eq $true -and ($LogFile -ne "" -or $LogDirectory -ne "")) { Write-Host Write-Host $Error_InCompatible_LiveAnalysisAndLogFile -ForegroundColor White -BackgroundColor Red Write-Host @@ -1786,9 +1786,9 @@ if ( $LiveAnalysis -eq $false -and $LogFile -eq "" -and $EventID_Statistics -eq } #No analysis source was specified -if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM_UsageBasic -eq $true -or $AnalyzeNTLM_UsageDetailed -eq $true){ +if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM_UsageBasic -eq $true -or $AnalyzeNTLM_UsageDetailed -eq $true) { - if ( $LiveAnalysis -ne $true -and $LogFile -ne $true -and $LogDirectory -ne $true){ + if ( $LiveAnalysis -ne $true -and ($LogFile -ne "" -or $LogDirectory -ne "")) { Write-Host Write-Host $Error_InCompatible_NoLiveAnalysisOrLogFileSpecified -ForegroundColor White -BackgroundColor Red @@ -1801,7 +1801,10 @@ if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM #Create-Timeline -$evtxFiles = @($LogFile) +$evtxFiles = [System.Collections.ArrayList] @() +if ($LogFile -ne "") { + [void]$evtxFiles.Add($LogFile) +} if ( $LiveAnalysis -eq $true ) { @@ -1811,9 +1814,13 @@ if ( $LiveAnalysis -eq $true ) { $evtxFiles = @( "C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NTLM%4Operational.evtx" ) - - } else { - + } + elseif ($LogonTimeline -eq $true) { + $evtxFiles = @( + "C:\Windows\System32\winevt\Logs\Security.evtx" + ) + } + else { $evtxFiles = @( "C:\Windows\System32\winevt\Logs\Security.evtx", "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" @@ -1829,8 +1836,7 @@ elseif ( $LogDirectory -ne "" ) { exit } - $evtxFiles = Get-ChildItem -Filter *.evtx -Path $LogDirectory | ForEach-Object { $_.FullName } - + Get-ChildItem -Filter *.evtx -Path $LogDirectory | ForEach-Object { [void]$evtxFiles.Add($_.FullName) } } $Timezone = Get-TimeZone @@ -1852,18 +1858,18 @@ foreach ( $LogFile in $evtxFiles ) { if ( $LogonTimeline -eq $true ) { - Create-LogonTimeline $UTCOffset + Create-LogonTimeline $UTCOffset -filePath $LogFile } - if ( $AnalyzeNTLM_UsageBasic -eq $true){ + if ( $AnalyzeNTLM_UsageBasic -eq $true) { . ($AnalyzersPath + "NTLM-Operational.ps1") Analyze-NTLMOperationalBasic } - if ( $AnalyzeNTLM_UsageDetailed -eq $true){ + if ( $AnalyzeNTLM_UsageDetailed -eq $true) { . ($AnalyzersPath + "NTLM-Operational.ps1") Analyze-NTLMOperationalDetailed