diff --git a/Analyzers/NTLM-Operational.ps1 b/Analyzers/NTLM-Operational.ps1 index 8ba6d9c2..bae78e19 100755 --- a/Analyzers/NTLM-Operational.ps1 +++ b/Analyzers/NTLM-Operational.ps1 @@ -277,6 +277,7 @@ function Analyze-NTLMOperationalBasic { function Analyze-NTLMOperationalDetailed { + $output = @() $WineventFilter = @{} $EventIDsToAnalyze = 8001, 8002, 8004 $WineventFilter.Add("ID", $EventIDsToAnalyze) @@ -418,10 +419,13 @@ function Analyze-NTLMOperationalDetailed { } } - if ( $8004_SChannelNameList -notcontains $8004_msgSChannelName ) { $8004_SChannelNameList.Add($8004_msgSChannelName) } - if ( $8004_UserNameList -notcontains $8004_msgUserName ) { $8004_UserNameList.Add($8004_msgUserName) } - if ( $8004_WorkstationNameList -notcontains $8004_msgWorkstationName ) { $8004_WorkstationNameList.Add($8004_msgWorkstationName) } - if ( $8004_SChannelTypeList -notcontains $8004_msgSChannelType ) { $8004_SChannelTypeList.Add($8004_msgSChannelType) } + $tempoutput = [Ordered]@{ + $SecureChannelName = $8004_msgSChannelName ; + $UserName = $8004_msgUserName ; + + } + $output += [PSCustomObject]$tempoutput + $output } } @@ -514,4 +518,5 @@ function Analyze-NTLMOperationalDetailed { Write-Host "8002 Events: " $8002_NumberOfLogs Write-Host "8004 Events: " $8004_NumberOfLogs Write-Host + $output } diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1 index 48dd3116..67389914 100644 --- a/Config/Language/en.ps1 +++ b/Config/Language/en.ps1 @@ -326,12 +326,13 @@ $Create_LogonTimeline_TypeOther = "Other Type Logons:" $Create_LogonTimeline_localComputer = "LOCAL" $Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis." -$Error_InCompatible_LiveAnalysisAndLogFile = "Error: you cannot specify -LiveAnalysis and -LogFile at the same time." -$Error_InCompatible_LogDirAndFile = "Error:you cannot specify -LogDirectory and -LogFile at the same time." +$Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile at the same time." +$Error_InCompatible_LogDirAndFile = "Error:You cannot specify -LogDirectory and -LogFile at the same time." $Error_NotSupport_LiveAnalysys = "Error: Live Analysis is only supported on Windows" $Error_NeedAdministratorPriv = "Error: You need to be running Powershell as Administrator." -$Error_NoSaveOutputWithCSV = "Error: you need to specify -SaveOutput" -$Error_NoNeedSaveOutputWithGUI = "Error: you cannot output to GUI with the -SaveOutput parameter" +$Error_NoSaveOutputWithCSV = "Error: You need to specify -SaveOutput" +$Error_NoNeedSaveOutputWithGUI = "Error: You cannot output to GUI with the -SaveOutput parameter" +$Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "Error: You need to specify -LiveAnalysis or -LogFile" #function Show-Contributors @@ -366,23 +367,17 @@ function Show-Help { Write-Host Write-Host "Analysis Type (Specify one):" - Write-Host " -EventIDStatistics" -NoNewline -ForegroundColor Green + Write-Host " -AnalyzeNTLM_UsageBasic" -NoNewline -ForegroundColor Green + Write-Host " : Returns basic NTLM usage based on the NTLM Operational log" + + Write-Host " -AnalyzeNTLM_UsageDetailed" -NoNewline -ForegroundColor Green + Write-Host " : Returns detailed NTLM usage based on the NTLM Operational log" + + Write-Host " -EventID_Statistics" -NoNewline -ForegroundColor Green Write-Host " : Output event ID statistics" Write-Host " -LogonTimeline" -NoNewline -ForegroundColor Green - Write-Host " : Output a simple timeline of user logons" - - Write-Host - Write-Host "Output Types (Default: Standard Output):" - - Write-Host " -SaveOutput " -NoNewline -ForegroundColor Green - Write-Host " : Output results to a text file" - - Write-Host " -OutputCSV" -NoNewline -ForegroundColor Green - Write-Host " : Outputs to CSV" - - Write-Host " -OutputGUI" -NoNewline -ForegroundColor Green - Write-Host " : Outputs to the Out-GridView GUI" + Write-Host " : Output a condensed timeline of user logons based on the Security log" Write-Host Write-Host "Analysis Options:" @@ -393,11 +388,26 @@ function Show-Help { Write-Host " -EndTimeline """"" -NoNewline -ForegroundColor Green Write-Host " : Specify the end of the timeline" + Write-Host + Write-Host "-LogonTimeline Analysis Options:" + Write-Host " -IsDC" -NoNewline -ForegroundColor Green Write-Host " : Specify if the logs are from a DC" Write-Host - Write-Host "Output Options:" + Write-Host "Output Types (Default: Standard Output):" + + Write-Host " -SaveOutput " -NoNewline -ForegroundColor Green + Write-Host " : Output results to a text file" + + Write-Host " -OutputCSV" -NoNewline -ForegroundColor Green + Write-Host " : Outputs to CSV" + + Write-Host " -OutputGUI" -NoNewline -ForegroundColor Green + Write-Host " : Outputs to the Out-GridView GUI" + + Write-Host + Write-Host "General Output Options:" Write-Host " -USDateFormat" -NoNewline -ForegroundColor Green Write-Host " : Output the dates in MM-DD-YYYY format (Default: YYYY-MM-DD)" @@ -407,15 +417,18 @@ function Show-Help { Write-Host " -UTC" -NoNewline -ForegroundColor Green Write-Host " : Output in UTC time (default is the local timezone)" - + + Write-Host " -Japanese" -NoNewline -ForegroundColor Green + Write-Host " : Output in Japanese" + + Write-Host + Write-Host "-LogonTimeline Output Options:" + Write-Host " -HideTimezone" -NoNewline -ForegroundColor Green Write-Host " : Hides the timezone" Write-Host " -ShowLogonID" -NoNewline -ForegroundColor Green - Write-Host " : Specify if you want to see Logon IDs" - - Write-Host " -Japanese" -NoNewline -ForegroundColor Green - Write-Host " : Output in Japanese" + Write-Host " : Show logon IDs" Write-Host Write-Host "Other:" @@ -424,7 +437,7 @@ function Show-Help { Write-Host " : Show the contributors" Write-Host " -QuietLogo" -NoNewline -ForegroundColor Green - Write-Host " : Hide Execute WELA Logo" + Write-Host " : Do not display the WELA logo" Write-Host diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1 index 095b4757..63f72770 100644 --- a/Config/Language/ja.ps1 +++ b/Config/Language/ja.ps1 @@ -334,6 +334,7 @@ $Error_NotSupport_LiveAnalysys = "エラー: ライブ調査はWindowsにし $Error_NeedAdministratorPriv = "エラー: Powershellを管理者として実行する必要があります。" $Error_NoSaveOutputWithCSV = "エラー: 「-SaveOutput」を指定してください" $Error_NoNeedSaveOutputWithGUI = "エラー: 「-OutputGUI」と「-SaveOutput」を同時に指定できません。" +$Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "エラー: -LiveAnalysisまたは-LogFileを指定する必用があります。" #function Show-Contributors $Show_Contributors = @@ -349,7 +350,7 @@ DustInDark - ローカライゼーション、和訳 function Show-Help { Write-Host - Write-Host "Windows Event Log Analyzer(WELA)" -ForegroundColor Green + Write-Host "Windows Event Log Analyzer(WELA) ゑ羅(ウェラ)" -ForegroundColor Green Write-Host "バージョン: $YEAVersion" -ForegroundColor Green Write-Host "作者: 田中ザック (@yamatosecurity)と大和セキュリティメンバー" -ForegroundColor Green Write-Host @@ -358,30 +359,24 @@ function Show-Help { Write-Host " -LiveAnalysis" -NoNewline -ForegroundColor Green Write-Host " : ホストOSのログでタイムラインを作成する" - Write-Host " -LogFile " -NoNewline -ForegroundColor Green + Write-Host " -LogFile <ログファイルのパス>" -NoNewline -ForegroundColor Green Write-Host " : オフラインの.evtxファイルでタイムラインを作成する" Write-Host Write-Host "解析タイプを一つ指定して下さい:" + Write-Host " -AnalyzeNTLM_UsageBasic" -NoNewline -ForegroundColor Green + Write-Host " : NTLM Operationalログを解析し、NTLM認証の使用を簡潔に出力する" + + Write-Host " -AnalyzeNTLM_UsageDetailed" -NoNewline -ForegroundColor Green + Write-Host " : NTLM Operationalログを解析し、NTLM認証の使用を詳細に出力する" + Write-Host " -EventIDStatistics" -NoNewline -ForegroundColor Green Write-Host " : イベントIDの集計情報を出力する" Write-Host " -LogonTimeline" -NoNewline -ForegroundColor Green Write-Host " : ユーザログオンの簡単なタイムラインを出力する" - Write-Host - Write-Host "出力方法(デフォルト:標準出力):" - - Write-Host " -SaveOutput <出力パス>" -NoNewline -ForegroundColor Green - Write-Host " : テキストファイルに出力する" - - Write-Host " -OutputCSV" -NoNewline -ForegroundColor Green - Write-Host " : CSVファイルに出力する" - - Write-Host " -OutputGUI" -NoNewline -ForegroundColor Green - Write-Host " : Out-GridView GUIに出力する" - Write-Host Write-Host "解析オプション:" @@ -391,9 +386,24 @@ function Show-Help { Write-Host " -EndTimeline """"" -NoNewline -ForegroundColor Green Write-Host " : タイムラインの終わりを指定する" + Write-Host + Write-Host "-LogonTimelineの解析オプション:" + Write-Host " -IsDC" -NoNewline -ForegroundColor Green Write-Host " : ドメインコントローラーのログの場合は指定して下さい" + Write-Host + Write-Host "出力方法(デフォルト:標準出力):" + + Write-Host " -SaveOutput <出力パス>" -NoNewline -ForegroundColor Green + Write-Host " : テキストファイルに出力する" + + Write-Host " -OutputCSV" -NoNewline -ForegroundColor Green + Write-Host " : CSVファイルに出力する" + + Write-Host " -OutputGUI" -NoNewline -ForegroundColor Green + Write-Host " : Out-GridView GUIに出力する" + Write-Host Write-Host "出力オプション:" @@ -406,15 +416,18 @@ function Show-Help { Write-Host " -UTC" -NoNewline -ForegroundColor Green Write-Host " : 時間をUTC形式で出力する。(デフォルトはローカルタイムゾーン)" + Write-Host " -Japanese" -NoNewline -ForegroundColor Green + Write-Host " : 日本語で出力する" + + Write-Host + Write-Host "-LogonTimelineの出力オプション:" + Write-Host " -HideTimezone" -NoNewline -ForegroundColor Green Write-Host " : タイムゾーンの表示をしない" Write-Host " -ShowLogonID" -NoNewline -ForegroundColor Green Write-Host " : ログオンIDを出力する" - Write-Host " -Japanese" -NoNewline -ForegroundColor Green - Write-Host " : 日本語で出力する" - Write-Host Write-Host "その他:" diff --git a/README-English.md b/README-English.md index 55152e1a..264be2af 100644 --- a/README-English.md +++ b/README-English.md @@ -40,46 +40,55 @@ Tested on Windows Powershell 5.1 but may work with previous versions. It will un At the moment, please use a Windows Powershell 5.1. You will need local Administrator access for live analysis. - Analysis Source (Specify one): -LiveAnalysis : Creates a timeline based on the live host's log -LogFile : Creates a timelime from an offline .evtx file Analysis Type (Specify one): - -EventIDStatistics : Output event ID statistics - -LogonTimeline : Output a simple timeline of user logons + -AnalyzeNTLM_UsageBasic : Returns basic NTLM usage based on the NTLM Operational log + -AnalyzeNTLM_UsageDetailed : Returns detailed NTLM usage based on the NTLM Operational log + -EventID_Statistics : Output event ID statistics + -LogonTimeline : Output a condensed timeline of user logons based on the Security log + + Analysis Options: + -StartTimeline "" : Specify the start of the timeline + -EndTimeline "" : Specify the end of the timeline + + -LogonTimeline Analysis Options: + -IsDC : Specify if the logs are from a DC Output Types (Default: Standard Output): -SaveOutput : Output results to a text file -OutputCSV : Outputs to CSV -OutputGUI : Outputs to the Out-GridView GUI - Analysis Options: - -StartTimeline "" : Specify the start of the timeline - -EndTimeline "" : Specify the end of the timeline - -IsDC $true : Specify if the logs are from a DC - - Output Options: + General Output Options: -USDateFormat : Output the dates in MM-DD-YYYY format (Default: YYYY-MM-DD) -EuropeDateFormat : Output the dates in DD-MM-YYYY format (Default: YYYY-MM-DD) - -UTC : Output in UTC time - -HideTimezone : Hides the timezone being used - -ShowLogonID : Specify if you want to see Logon IDs + -UTC : Output in UTC time (default is the local timezone) -Japanese : Output in Japanese + -LogonTimeline Output Options: + -HideTimezone : Hides the timezone + -ShowLogonID : Show logon IDs + Other: -ShowContributors : Show the contributors + -QuietLogo : Do not display the WELA logo ## Useful Options Show event ID statistics to get a grasp of what kind of events there are: - .\WELA.ps1 -EventIDStatistics + .\WELA.ps1 -EventID_Statistics Create a timeline via offline analysis outputted to a GUI in UTC time: .\WELA.ps1 -LogFile .\Security.evtx -LogonTimeline -OutputGUI -UTC +Analyze NTLM Operational logs for NTLM usage before disabling it: + .\WELA.ps1 -AnalyzeNTLM_UsageBasic -LogFile .\DC1-NTLM-Operational.evtx + ## Screenshots Logon Timeline GUI: diff --git a/README-Japanese.md b/README-Japanese.md index ef3521ad..4b137524 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -42,32 +42,39 @@ Windows Powershell 5.1で動作確認済みですが、以前のバージョン 解析ソースを一つ指定して下さい: -LiveAnalysis : ホストOSのログでタイムラインを作成する - -LogFile : オフラインの.evtxファイルでタイムラインを作成する + -LogFile <ログファイルのパス> : オフラインの.evtxファイルでタイムラインを作成する 解析タイプを一つ指定して下さい: + -AnalyzeNTLM_UsageBasic : NTLM Operationalログを解析し、NTLM認証の使用を簡潔に出力する + -AnalyzeNTLM_UsageDetailed : NTLM Operationalログを解析し、NTLM認証の使用を詳細に出力する -EventIDStatistics : イベントIDの集計情報を出力する -LogonTimeline : ユーザログオンの簡単なタイムラインを出力する - 出力方法(デフォルト:標準出力): - -SaveOutput <出力パス> : テキストファイルに出力する - -OutputCSV : CSVファイルに出力する - -OutputGUI : Out-GridView GUIに出力する - 解析オプション: -StartTimeline "" : タイムラインの始まりを指定する -EndTimeline "" : タイムラインの終わりを指定する + + -LogonTimelineの解析オプション: -IsDC : ドメインコントローラーのログの場合は指定して下さい + 出力方法(デフォルト:標準出力): + -SaveOutput <出力パス> : テキストファイルに出力する + -OutputCSV : CSVファイルに出力する + -OutputGUI : Out-GridView GUIに出力する + 出力オプション: - -USDateFormat : 日付をMM-DD-YYYY形式で出力する (デフォルト:YYYY-MM-DD) - -EuropeDateFormat : 日付をDD-MM-YYYY形式で出力する (デフォルト:YYYY-MM-DD) - -UTC : 時間をUTC形式で出力する + -USDateFormat : 日付をMM-DD-YYYY形式で出力する (デフォルト: YYYY-MM-DD) + -EuropeDateFormat : 日付をDD-MM-YYYY形式で出力する (デフォルト: YYYY-MM-DD) + -UTC : 時間をUTC形式で出力する。(デフォルトはローカルタイムゾーン) + -Japanese : 日本語で出力する + + -LogonTimelineの出力オプション: -HideTimezone : タイムゾーンの表示をしない -ShowLogonID : ログオンIDを出力する - -Japanese : 日本語で出力する その他: -ShowContributors : コントリビューターの一覧表示 + -QuietLogo : ロゴを表示させずに実行する ## 便利な機能 diff --git a/WELA.ps1 b/WELA.ps1 index bf570a62..b4b8db9b 100755 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -93,7 +93,7 @@ param ( [string]$LogFile = "", [string]$LogDirectory = "", [switch]$ShowContributors, - [switch]$EventIDStatistics, + [switch]$EventID_Statistics, [switch]$LogonTimeline, [switch]$AccountInformation, [switch]$OutputGUI, @@ -101,8 +101,8 @@ param ( [switch]$UTC, [switch]$HideTimezone, [switch]$QuietLogo, - [switch]$AnalyzeNTLMBasic, - [switch]$AnalyzeNTLMDetailed + [switch]$AnalyzeNTLM_UsageBasic, + [switch]$AnalyzeNTLM_UsageDetailed ) $DisplayTimezone = !($HideTimezone); @@ -1774,13 +1774,27 @@ if ( $LiveAnalysis -eq $true -and $LogFile -ne "" ) { } # Show-Helpは各言語のModuleに移動したためShow-Help関数は既に指定済みの言語の内容となっているため言語設定等の参照は行わない -if ( $LiveAnalysis -eq $false -and $LogFile -eq "" -and $EventIDStatistics -eq $false -and $LogonTimeline -eq $false -and $AccountInformation -eq $false ) { +if ( $LiveAnalysis -eq $false -and $LogFile -eq "" -and $EventID_Statistics -eq $false -and $LogonTimeline -eq $false -and $AccountInformation -eq $false -and $AnalyzeNTLM_UsageBasic -eq $false -and $AnalyzeNTLM_UsageDetailed -eq $false) { Show-Help exit } +#No analysis source was specified +if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM_UsageBasic -eq $true -or $AnalyzeNTLM_UsageDetailed -eq $true){ + + if ( $LiveAnalysis -ne $true -and $LogFile -ne $true -and $LogDirectory -ne $true){ + + Write-Host + Write-Host $Error_InCompatible_NoLiveAnalysisOrLogFileSpecified -ForegroundColor White -BackgroundColor Red + Write-Host + exit + + } + +} + #Create-Timeline $evtxFiles = @($LogFile) @@ -1826,7 +1840,7 @@ if ( $UTC -eq $true ) { foreach ( $LogFile in $evtxFiles ) { - if ( $EventIDStatistics -eq $true ) { + if ( $EventID_Statistics -eq $true ) { Create-EventIDStatistics @@ -1838,14 +1852,14 @@ foreach ( $LogFile in $evtxFiles ) { } - if ( $AnalyzeNTLMBasic -eq $true){ + if ( $AnalyzeNTLM_UsageBasic -eq $true){ . ($AnalyzersPath + "NTLM-Operational.ps1") Analyze-NTLMOperationalBasic } - if ( $AnalyzeNTLMDetailed -eq $true){ + if ( $AnalyzeNTLM_UsageDetailed -eq $true){ . ($AnalyzersPath + "NTLM-Operational.ps1") Analyze-NTLMOperationalDetailed