From c694eb1c8188c5f157623abaa397f21134460baa Mon Sep 17 00:00:00 2001 From: Yamato Security Date: Mon, 24 May 2021 09:39:10 +0900 Subject: [PATCH] =?UTF-8?q?=E9=9B=86=E8=A8=88=E6=A9=9F=E8=83=BD=E3=81=AE?= =?UTF-8?q?=E5=92=8C=E8=A8=B3=20JP=20Translation=20Event=20ID=20Statistics?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Config/Language/en.ps1 | 19 ++++++++++++++++++- Config/Language/ja.ps1 | 15 ++++++++++++++- yea-security-timeline.ps1 | 28 +++++++++++++--------------- 3 files changed, 45 insertions(+), 17 deletions(-) diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1 index bc400b30..73172550 100644 --- a/Config/Language/en.ps1 +++ b/Config/Language/en.ps1 @@ -2,6 +2,20 @@ language config:English version #> +# function Create-EventIDStatistics +$Create_EventIDStatistics_CreatingStatisticsMessage = "Creating Event ID Statistics.`nPlease be patient." +$Create_EventIDStatistics_TotalEventLogs = "Total event logs:" +$Create_EventIDStatistics_FileSize = "File size:" +$Create_EventIDStatistics_FirstEvent = "First event:" +$Create_EventIDStatistics_LastEvent = "Last event:" +$Create_EventIDStatistics_ProcessingTime = "Processing time: {0} hours {1} minutes {2} seconds." +$Create_EventIDStatistics_Count = "Count" +$Create_EventIDStatistics_ID = "ID" +$Create_EventIDStatistics_Event = "Event" +$Create_EventIDStatistics_TimelineOutput = "Timeline Output" +$Create_EventIDStatistics_Comment = "Comment" + + $1100 = @{ EventTitle = 'Event logging service was shut down'; Comment = 'Good for finding signs of anti-forensics but most likely false positives when the system shuts down.'; @@ -290,7 +304,7 @@ $Create_LogonTimeline_SourceWorkstation = "Source Workstation" $Create_LogonTimeline_SourceIpAddress = "Source IP Address" $Create_LogonTimeline_SourceIpPort = "Source Port" $Create_LogonTimeline_LogonID = "Logon ID" -$Create_LogonTimeline_Processing_Time = "Processing time: {0} hours {1} minutes {2} seconds" +$Create_LogonTimeline_Processing_Time = "Processing time: {0} hours {1} minutes {2} seconds." $Create_LogonTimeline_NoLogoffEvent = "No logoff event" $Create_LogonTimeline_Total_Logon_Event_Records = "Total logon event records: " $Create_LogonTimeline_Data_Reduction = "Log event data reduction: " @@ -308,3 +322,6 @@ $Create_LogonTimeline_Type11 = "Type 11 CachedInteractive/Cached Credentials Log $Create_LogonTimeline_Type12 = "Type 12 CachedRemoteInteractive (Ex: RDP with cached credentials, Microsoft Live Accounts):" $Create_LogonTimeline_Type13 = "Type 13 CachedUnlocked Logons (Ex: Unlock or RDP reconnect without authenticated to DC):" $Create_LogonTimeline_TypeOther = "Other Type Logons:" + + + diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1 index 8fe243c3..22b84886 100644 --- a/Config/Language/ja.ps1 +++ b/Config/Language/ja.ps1 @@ -3,7 +3,19 @@ language config:Japanese version #> -# Event ID Statistics +# function Create-EventIDStatistics +$Create_EventIDStatistics_CreatingStatisticsMessage = "イベントIDを集計します。`n少々お待ちください。" +$Create_EventIDStatistics_TotalEventLogs = "イベントの合計:" +$Create_EventIDStatistics_FileSize = "ファイルサイズ:" +$Create_EventIDStatistics_FirstEvent = "最初のイベント:" +$Create_EventIDStatistics_LastEvent = "最後のイベント:" +$Create_EventIDStatistics_ProcessingTime = "処理時間:{0}時{1}分{2}秒" +$Create_EventIDStatistics_Count = "カウント" +$Create_EventIDStatistics_ID = "ID" +$Create_EventIDStatistics_Event = "イベント" +$Create_EventIDStatistics_TimelineOutput = "タイムライン出力" +$Create_EventIDStatistics_Comment = "コメント" + $1100 = @{ EventTitle = 'イベントログサービスがシャットダウンしました。'; Comment = 'Good for finding signs of anti-forensics but most likely false positives when the system shuts down.'; @@ -313,3 +325,4 @@ $Create_LogonTimeline_Type11 = "タイプ 11 キャッシュされた認証情 $Create_LogonTimeline_Type12 = "タイプ 12 キャッシュされた認証情報によるリモートインタラクティブログオン (例:キャッシュされた認証情報によるRDP、Microsoftライブアカウントの使用):" $Create_LogonTimeline_Type13 = "タイプ 13 キャッシュされた認証情報によるロック解除のログオン (例:DCに接続できない場合のロック解除またはRDP再接続):" $Create_LogonTimeline_TypeOther = "その他のタイプのログオン:" + diff --git a/yea-security-timeline.ps1 b/yea-security-timeline.ps1 index 0b9ceaa9..871b8f2e 100755 --- a/yea-security-timeline.ps1 +++ b/yea-security-timeline.ps1 @@ -273,11 +273,9 @@ function Create-EventIDStatistics { # - Implement save-output # - Add comments to event IDs # - Explicitly output results in a table - # - Translate everything Write-Host - Write-Host "Creating Event ID Statistics" - Write-Host "Please be patient." + Write-Host $Create_EventIDStatistics_CreatingStatisticsMessage # "Creating Event ID Statistics. Please be patient." Write-Host $WineventFilter = @{} @@ -325,10 +323,10 @@ function Create-EventIDStatistics { $FirstEventTimestamp = $logs[0].TimeCreated.ToString($DateFormat) $LastEventTimestamp = $logs[-1].TimeCreated.ToString($DateFormat) - Write-Host "Total Event Logs: $TotalNumberOfLogs" - Write-Host "File Size: $filesize" - Write-Host "First event: $FirstEventTimestamp" - Write-Host "Last event: $LastEventTimestamp" + Write-Host "$Create_EventIDStatistics_TotalEventLogs $TotalNumberOfLogs" # "Total event logs: " + Write-Host "$Create_EventIDStatistics_FileSize $filesize" # "File size: " + Write-Host "$Create_EventIDStatistics_FirstEvent $FirstEventTimestamp" # "First event: " + Write-Host "$Create_EventIDStatistics_LastEvent $LastEventTimestamp" # "Last event: " $sorted = $eventlist.GetEnumerator() | sort Value -Descending #sorted gets turn into an array [System.Collections.ArrayList]$ArrayWithHeader = @() @@ -340,7 +338,7 @@ function Create-EventIDStatistics { $EventInfo = EventInfo($Name) $PercentOfLogs = [math]::Round( ( $Value / $TotalNumberOfLogs * 100 ), 1 ) $CountPlusPercent = "$value ($PercentOfLogs%)" - $val = [pscustomobject]@{'Count' = $CountPlusPercent ; 'ID' = $Name ; 'Event' = $EventInfo.EventTitle ; 'Timeline Detection' = $EventInfo.TimelineDetect } #; 'Comment' = $EventInfo.Comment + $val = [pscustomobject]@{$Create_EventIDStatistics_Count = $CountPlusPercent ; $Create_EventIDStatistics_ID = $Name ; $Create_EventIDStatistics_Event = $EventInfo.EventTitle ; $Create_EventIDStatistics_TimelineOutput = $EventInfo.TimelineDetect } #; $Create_EventIDStatistics_Comment = $EventInfo.Comment $ArrayWithHeader.Add($val) > $null } @@ -353,7 +351,7 @@ function Create-EventIDStatistics { $RuntimeSeconds = $TempTimeSpan.Seconds.ToString() Write-Host - Write-Host "Processing time: $RuntimeHours hours $RuntimeMinutes minutes $RuntimeSeconds seconds" + Write-Host ( $Create_EventIDStatistics_ProcessingTime -f $RuntimeHours, $RuntimeMinutes, $RuntimeSeconds ) $ArrayWithHeader @@ -392,10 +390,10 @@ function Create-EventIDStatistics { $FirstEventTimestamp = $logs[0].TimeCreated.ToString($DateFormat) $LastEventTimestamp = $logs[-1].TimeCreated.ToString($DateFormat) - Write-Host "Total Event Logs: $TotalNumberOfLogs" - Write-Host "File Size: $filesize" - Write-Host "First event: $FirstEventTimestamp" - Write-Host "Last event: $LastEventTimestamp" + Write-Host "$Create_EventIDStatistics_TotalEventLogs $TotalNumberOfLogs" # "Total event logs: " + Write-Host "$Create_EventIDStatistics_FileSize $filesize" # "File size: " + Write-Host "$Create_EventIDStatistics_FirstEvent $FirstEventTimestamp" # "First event: " + Write-Host "$Create_EventIDStatistics_LastEvent $LastEventTimestamp" # "Last event: " $sorted = $eventlist.GetEnumerator() | sort Value -Descending #sorted gets turn into an array [System.Collections.ArrayList]$ArrayWithHeader = @() @@ -407,7 +405,7 @@ function Create-EventIDStatistics { $EventInfo = EventInfo($Name) $PercentOfLogs = [math]::Round( ( $Value / $TotalNumberOfLogs * 100 ), 1 ) $CountPlusPercent = "$value ($PercentOfLogs%)" - $val = [pscustomobject]@{'Count' = $CountPlusPercent ; 'ID' = $Name ; 'Event' = $EventInfo.EventTitle ; 'Timeline Detection' = $EventInfo.TimelineDetect } #; 'Comment' = $EventInfo.Comment + $val = [pscustomobject]@{$Create_EventIDStatistics_Count = $CountPlusPercent ; $Create_EventIDStatistics_ID = $Name ; $Create_EventIDStatistics_Event = $EventInfo.EventTitle ; $Create_EventIDStatistics_TimelineOutput = $EventInfo.TimelineDetect } #; $Create_EventIDStatistics_Comment = $EventInfo.Comment $ArrayWithHeader.Add($val) > $null } @@ -420,7 +418,7 @@ function Create-EventIDStatistics { $RuntimeSeconds = $TempTimeSpan.Seconds.ToString() Write-Host - Write-Host "Processing time: $RuntimeHours hours $RuntimeMinutes minutes $RuntimeSeconds seconds" + Write-Host ( $Create_EventIDStatistics_ProcessingTime -f $RuntimeHours, $RuntimeMinutes, $RuntimeSeconds ) $ArrayWithHeader