From 5d8275b45f740818216a04b33cf300a7b97a9603 Mon Sep 17 00:00:00 2001 From: "Eilay Yosfan (DFIR)" Date: Wed, 21 Feb 2024 22:56:46 +0200 Subject: [PATCH] change --- .../03-Features/05-UsersGroupsActivity.ps1 | 77 ++++++++++++++++--- .../Auth.Log/03-Features/07-sudoActivity.ps1 | 26 ++++--- MasterParser.ps1 | 1 + 3 files changed, 82 insertions(+), 22 deletions(-) diff --git a/02-LogModules/Auth.Log/03-Features/05-UsersGroupsActivity.ps1 b/02-LogModules/Auth.Log/03-Features/05-UsersGroupsActivity.ps1 index b76f96c..bdc6aca 100644 --- a/02-LogModules/Auth.Log/03-Features/05-UsersGroupsActivity.ps1 +++ b/02-LogModules/Auth.Log/03-Features/05-UsersGroupsActivity.ps1 @@ -168,6 +168,9 @@ if ($useradd_Count -ge 1) { Write-Output " |" Write-Output " V User Creation Activity - Statistics Table" + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # foreach loop to iterate and past each event separate from the hashtable foreach ($Event in $UsersGroupActivity_HT["useradd"]) { @@ -181,12 +184,17 @@ if ($useradd_Count -ge 1) { $UserCreation = $UserCreation.PadRight($MaxChar_UserCreation) # Output the result for the current event - $Result = Write-Output "| Event: User Creation Activity | Time: $TimeAndDate | Created User Name: $UserCreation |" + $Result = Write-Output "| Time: $TimeAndDate | Event: User Creation Activity | Created User Name: $UserCreation |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($Result.Length - 2) + # print the result in a table + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Result" } @@ -243,6 +251,9 @@ if ($userdel_Count -ge 1) { Write-Output " |" Write-Output " V User Deletion Activity - Statistics Table" + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # foreach loop to iterate and past each event separate from the hashtable foreach ($Event in $UsersGroupActivity_HT["userdel"]) { @@ -256,12 +267,17 @@ if ($userdel_Count -ge 1) { $UserDeletion = $UserDeletion.PadRight($MaxChar_UserDeletion) # Output the result for the current event - $Result = Write-Output "| Event: User Deletion Activity | Time: $TimeAndDate | Deleted User Name: $UserDeletion |" + $Result = Write-Output "| Time: $TimeAndDate | Event: User Deletion Activity | Deleted User Name: $UserDeletion |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($Result.Length - 2) + # print the result in a table + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Result" } @@ -347,6 +363,9 @@ if ($groupadd_Count -ge 1) { Write-Output " |" Write-Output " V Group Creation Activity - Statistics Table" + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # foreach loop to iterate and past each event separate from the hashtable foreach ($Event in $UsersGroupActivity_HT["groupadd"]) { @@ -360,12 +379,17 @@ if ($groupadd_Count -ge 1) { $CreatedGroup = $CreatedGroup.PadRight($MaxChar_CreatedGroup) # Output the result for the current event - $Result = Write-Output "| Event: Group Creation Activity | Time: $TimeAndDate | Created Group: $CreatedGroup |" + $Result = Write-Output "| Time: $TimeAndDate | Event: Group Creation Activity | Created Group: $CreatedGroup |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($Result.Length - 2) + # print the result in a table + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Result" } @@ -422,6 +446,9 @@ if ($groudel_Count -ge 1) { Write-Output " |" Write-Output " V Group Deletion Activity - Statistics Table" + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # foreach loop to iterate and past each event separate from the hashtable foreach ($Event in $UsersGroupActivity_HT["groudel"]) { @@ -435,12 +462,17 @@ if ($groudel_Count -ge 1) { $DeletedGroup = $DeletedGroup.PadRight($MaxChar_DeletedGroup) # Output the result for the current event - $Result = Write-Output "| Event: Group Deletion Activity | Time: $TimeAndDate | Deleted Group: $DeletedGroup |" + $Result = Write-Output "| Time: $TimeAndDate | Event: Group Deletion Activity | Deleted Group: $DeletedGroup |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($Result.Length - 2) + # print the result in a table + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Result" } @@ -500,7 +532,10 @@ if ($AddUserToGroup_Count -ge 1) { # Strings for the top title of the Statistics Table Write-Output " |" - Write-Output " V User Removed From A Group Activity - Statistics Table" + Write-Output " V User Added To A Group Activity - Statistics Table" + + # flag to stop $Border iteration after first iteration + $Flag = "Enable" # foreach loop to iterate and past each event separate from the hashtable foreach ($Event in $UsersGroupActivity_HT["AddUserToGroup"]) { @@ -519,12 +554,17 @@ if ($AddUserToGroup_Count -ge 1) { $ToGroup = $ToGroup.PadRight($MaxChar_ToGroup) # Output the result for the current event - $Result = Write-Output "| Event: User Added To A Group | Time: $TimeAndDate | The User: $AddedUser | To Group: $ToGroup |" + $Result = Write-Output "| Time: $TimeAndDate | Event: User Added To A Group | The User: $AddedUser | To Group: $ToGroup |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($Result.Length - 2) + # print the result in a table + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Result" } @@ -590,6 +630,9 @@ if ($RemoveUserFromGroup_Count -ge 1) { Write-Output " |" Write-Output " V User Removed From A Group Activity - Statistics Table" + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # foreach loop to iterate and past each event separate from the hashtable foreach ($Event in $UsersGroupActivity_HT["RemoveUserFromGroup"]) { @@ -610,21 +653,26 @@ if ($RemoveUserFromGroup_Count -ge 1) { $FromGroup = $FromGroup.PadRight($MaxChar_FromGroup) # Output the result for the current event - $Result = Write-Output "| Event: User Removed From Group | Time: $TimeAndDate | The User: $RemovedUser | Removed By: $RemovedBy | From Group: $FromGroup |" + $Result = Write-Output "| Time: $TimeAndDate | Event: User Removed From Group | The User: $RemovedUser | Removed By: $RemovedBy | From Group: $FromGroup |" # multiply $Result.Length with "-" hyfen symbol to get the boarder $Border = '-' * ($Result.Length - 2) + # print the result in a table + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Result" } Write-Output " +$Border+" } - # print out the user information change if ($UserInformationChange_Count -ge 1) { + Write-Output "" Write-Output "User Information Change - Raw Events" @@ -675,8 +723,6 @@ if ($UserInformationChange_Count -ge 1) { $UserInformationChange[$UserName] = 1 } } - - # print out the title of the table Write-Output " |" Write-Output " V User Information Change - Statistics Table" @@ -684,6 +730,9 @@ if ($UserInformationChange_Count -ge 1) { $MaxCharKey = ($UserInformationChange.Keys | Measure-Object Length -Maximum).Maximum $MaxCharValue = ($UserInformationChange.Values | Measure-Object -Maximum).Maximum.ToString().Length + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # iterate through all the keys in the hashtable in a foreach loop foreach ($Key in $UserInformationChange.Keys) { @@ -697,13 +746,17 @@ if ($UserInformationChange_Count -ge 1) { # calculate border $Border = '-' * ($Final.Length - 2) - # print the result in a table + # Print the boarder once + if ($Flag -match "Enable") { Write-Output " +$Border+" + $Flag = "Disable" + } + Write-Output " $Final" + } # last board print outside of the foreach loop Write-Output " +$Border+" - } # reset variables diff --git a/02-LogModules/Auth.Log/03-Features/07-sudoActivity.ps1 b/02-LogModules/Auth.Log/03-Features/07-sudoActivity.ps1 index 384549a..de828fb 100644 --- a/02-LogModules/Auth.Log/03-Features/07-sudoActivity.ps1 +++ b/02-LogModules/Auth.Log/03-Features/07-sudoActivity.ps1 @@ -68,6 +68,9 @@ if ($Elevated_Sessions_Opened_Count -ge 1) { $MaxCharKey = ($Session_HT.Keys | Measure-Object Length -Maximum).Maximum $MaxCharValue = ($Session_HT.Values | Measure-Object -Maximum).Maximum.ToString().Length + # flag to stop $Border iteration after first iteration + $Flag = "Enable" + # Output table foreach ($Key in $Session_HT.Keys) { $SpacedKey = $Key.PadRight($MaxCharKey) @@ -76,7 +79,12 @@ if ($Elevated_Sessions_Opened_Count -ge 1) { $Final = "| Sessions opened for user $SpacedKey | Session Count: $SpacedValue |" $Border = '-' * ($Final.Length - 2) + # Print the boarder once + if ($Flag -match "Enable") { Write-Output "+$Border+" + $Flag = "Disable" + } + Write-Output $Final } @@ -154,10 +162,9 @@ if ($ElevatedCommands_Count -ge 1) { # the printing of the $NameTag plus the table Write-Output "" - Write-Output " User Information" - Write-Output " +$BorderHyphenForUser+" - Write-Output " $Key" - Write-Output " +$BorderHyphenForUser+" + Write-Output "User Command History Of:" + Write-Output "+$BorderHyphenForUser+" + Write-Output "$Key" # Find the maximum character count in $ElevatedCommandsHT[$Key] which is the commands $MaxCharCount = ($ElevatedCommandsHT[$Key] | Measure-Object Length -Maximum).Maximum @@ -169,15 +176,14 @@ if ($ElevatedCommands_Count -ge 1) { $Commands = $ElevatedCommandsHT[$Key].PadRight($MaxCharCount) # the printing of the whole table with the commands - Write-Output " |" - Write-Output " V User Command History (Total Executions:$($ElevatedCommandsHT[$Key].Count))" - Write-Output " +$BorderHyphen+" + Write-Output "+$BorderHyphen+" + foreach ($Command in $Commands) { - Write-Output " |$Command|" - Write-Output " +$BorderHyphen+" + + Write-Output "|$Command|" } + Write-Output "+$BorderHyphen+" } - } # reset diff --git a/MasterParser.ps1 b/MasterParser.ps1 index 9a9435a..8357b26 100644 --- a/MasterParser.ps1 +++ b/MasterParser.ps1 @@ -170,3 +170,4 @@ switch ($O) { exit } } +