From ac597c9455eec43bd8b89cbaeb10f570cf2b2cf4 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 15 Sep 2021 01:07:56 +0900 Subject: [PATCH] Feature/merge execute timezone process and message to config#44#45 (#46) * merged Duplicated Get-TimeZone call to improve performance #44 * moved error and warn message to ps1 files in config/language #45 * auto style fix * fix background and foreground when output error message * change warn message color #45 * unification error message output #45 * changed splashlogos encoding UTF8 with BOM case of UTF8 no BOM in Powershell 5.1 dont output logo * Duplicated Get-TimeZone execution #44 changed Get-TimeZone call once when read many files, change in WELA.ps1 --- Config/Language/en.ps1 | 8 +++ Config/Language/ja.ps1 | 8 +++ Config/splashlogos.ps1 | 2 +- WELA.ps1 | 126 ++++++++++++++--------------------------- 4 files changed, 60 insertions(+), 84 deletions(-) diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1 index a67e396d..48dd3116 100644 --- a/Config/Language/en.ps1 +++ b/Config/Language/en.ps1 @@ -325,6 +325,14 @@ $Create_LogonTimeline_Type13 = "Type 13 CachedUnlocked Logons (Ex: Unlock or RDP $Create_LogonTimeline_TypeOther = "Other Type Logons:" $Create_LogonTimeline_localComputer = "LOCAL" +$Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis." +$Error_InCompatible_LiveAnalysisAndLogFile = "Error: you cannot specify -LiveAnalysis and -LogFile at the same time." +$Error_InCompatible_LogDirAndFile = "Error:you cannot specify -LogDirectory and -LogFile at the same time." +$Error_NotSupport_LiveAnalysys = "Error: Live Analysis is only supported on Windows" +$Error_NeedAdministratorPriv = "Error: You need to be running Powershell as Administrator." +$Error_NoSaveOutputWithCSV = "Error: you need to specify -SaveOutput" +$Error_NoNeedSaveOutputWithGUI = "Error: you cannot output to GUI with the -SaveOutput parameter" + #function Show-Contributors $Show_Contributors = diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1 index f1ae4e8a..095b4757 100644 --- a/Config/Language/ja.ps1 +++ b/Config/Language/ja.ps1 @@ -327,6 +327,14 @@ $Create_LogonTimeline_Type13 = "タイプ 13 キャッシュされた認証情 $Create_LogonTimeline_TypeOther = "その他のタイプのログオン:" $Create_LogonTimeline_localComputer = "ローカル" +$Warn_DC_LiveAnalysis = "注意:ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。" +$Error_InCompatible_LiveAnalysisAndLogFile = "エラー:「-LiveAnalysis」 と「-LogFile」を同時に指定できません。" +$Error_InCompatible_LogDirAndFile = "エラー:「-LogDirectory」 と「-LogFile」を同時に指定できません。" +$Error_NotSupport_LiveAnalysys = "エラー: ライブ調査はWindowsにしか対応していません。" +$Error_NeedAdministratorPriv = "エラー: Powershellを管理者として実行する必要があります。" +$Error_NoSaveOutputWithCSV = "エラー: 「-SaveOutput」を指定してください" +$Error_NoNeedSaveOutputWithGUI = "エラー: 「-OutputGUI」と「-SaveOutput」を同時に指定できません。" + #function Show-Contributors $Show_Contributors = "コントリビューター: diff --git a/Config/splashlogos.ps1 b/Config/splashlogos.ps1 index d2d0678a..574b2f81 100644 --- a/Config/splashlogos.ps1 +++ b/Config/splashlogos.ps1 @@ -1,4 +1,4 @@ - + $logo = @" ██╗ ██╗███████╗██╗ █████╗ ██║ ██║██╔════╝██║ ██╔══██╗ diff --git a/WELA.ps1 b/WELA.ps1 index 831d1ebc..a9c79315 100755 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -422,7 +422,7 @@ function Get-KerberosStatusStr { } function Create-LogonTimeline { - + param([string] $UTCOffset) # Notes: # Logoff events without corresponding logon events first won't be printed # The log service shutdown time is used for the shutdown time so might be wrong if the log service was turned off while the system was running. (anti-forensics, etc..) @@ -704,20 +704,9 @@ function Create-LogonTimeline { if ($msgIpAddress -ne "-" -and #IP Address is not blank !($msgTargetUserName[-1] -eq "$" -and $msgIpAddress -eq "127.0.0.1" ) -or #Not a machine account local logon ($msgSubjectUserSid -eq "S-1-0-0" -and $msgTargetUserName -eq "SYSTEM")) { - #To find system boot time システムの起動時間を調べるため - $Timezone = Get-TimeZone - $TimezoneName = $Timezone.DisplayName #例:(UTC+09:00 Osaka, Sapporo, Tokyo) - $StartParen = $TimezoneName.IndexOf('(') #get position of ( - $EndParen = $TimezoneName.IndexOf(')') #position of ) - $UTCOffset = $TimezoneName.SubString( $StartParen + 1 , $EndParen - $StartParen - 1 ) # UTC+09:00 - if ( $UTC -eq $true ) { - $UTCOffset = "UTC" - } $isAdmin = $AdminLogonArray.Contains( $msgTargetUserName ) - if ( $msgAuthPackageName -eq "NTLM" ) { $msgAuthPackageName = $msgLmPackageName } #NTLMの場合はv1かv2か知りたい。AuthPackageはNTLMしか書いていないので、LmPackageName (例:NTLMv1, NTLMv2)で上書きする。 - $outputThisEvent = $TRUE } @@ -756,19 +745,8 @@ function Create-LogonTimeline { $LogoffTimestampString = $Create_LogonTimeline_NoLogoffEvent # "No logoff event" if ($msgTargetUserName[-1] -ne "$") { - - $Timezone = Get-TimeZone - $TimezoneName = $Timezone.DisplayName #例:(UTC+09:00 Osaka, Sapporo, Tokyo) - $StartParen = $TimezoneName.IndexOf('(') #get position of ( - $EndParen = $TimezoneName.IndexOf(')') #position of ) - $UTCOffset = $TimezoneName.SubString( $StartParen + 1 , $EndParen - $StartParen - 1 ) # UTC+09:00 - if ( $UTC -eq $true ) { - $UTCOffset = "UTC" - } $isAdmin = $AdminLogonArray.Contains( $msgTargetUserName ) - $outputThisEvent = $TRUE - } } @@ -782,22 +760,24 @@ function Create-LogonTimeline { $eventXML = [xml]$event.ToXml() - $msgTargetUserName = $eventXML.Event.UserData.EventXML.User - $msgTargetUserName = $msgTargetUserName.Split("\")[-1] - $msgIpAddress = $eventXML.Event.UserData.EventXML.Address + $msgTargetUserName = $eventXML.Event.UserData.EventXML.User + $msgTargetUserName = $msgTargetUserName.Split("\")[-1] + $msgIpAddress = $eventXML.Event.UserData.EventXML.Address $msgWorkstationName = "-" $msgAuthPackageName = "-" - $msgIpPort = "-" - $msgProcessName = "-" + $msgIpPort = "-" + $msgProcessName = "-" if ( $msgIpAddress -ne $Create_LogonTimeline_localComputer ) { switch ( $event.Id ) { - "21" { #RDP + "21" { + #RDP $Type10Logons++ $msgLogonType = 10 } - "25" { #RDP reconnect + "25" { + #RDP reconnect $Type7Logons++ $msgLogonType = 7 } @@ -811,16 +791,7 @@ function Create-LogonTimeline { else { $LogonTimestampString = $event.TimeCreated.ToString($DateFormat) } - $Timezone = Get-TimeZone - $TimezoneName = $Timezone.DisplayName #例:(UTC+09:00 Osaka, Sapporo, Tokyo) - $StartParen = $TimezoneName.IndexOf('(') #get position of ( - $EndParen = $TimezoneName.IndexOf(')') #position of ) - $UTCOffset = $TimezoneName.SubString( $StartParen + 1 , $EndParen - $StartParen - 1 ) # UTC+09:00 - if ( $UTC -eq $true ) { - $UTCOffset = "UTC" - } - $isAdmin = $AdminLogonArray.Contains( $msgTargetUserName ) - + $isAdmin = $AdminLogonArray.Contains( $msgTargetUserName ) $outputThisEvent = $TRUE } } @@ -888,8 +859,9 @@ function Create-LogonTimeline { if ( $SaveOutput -eq "" ) { if ( $OutputCSV -eq $true ) { - - Write-Host 'Error: you need to specify -SaveOutput' + Write-Host + Write-Host $Error_NoSaveOutputWithCSV -ForegroundColor White -BackgroundColor Red + Write-Host Exit } @@ -960,8 +932,9 @@ function Create-LogonTimeline { else { if ( $OutputGUI -eq $true ) { - - Write-Host 'Error: you cannot output to GUI with the -SaveOutput parameter' + Write-Host + Write-Host $Error_NoNeedSaveOutputWithGUI -ForegroundColor White -BackgroundColor Red + Write-Host Exit } @@ -1759,35 +1732,19 @@ function Perform-LiveAnalysisChecks { $isAdmin = Check-Administrator if ( $isAdmin -eq $false ) { - if ( $HostLanguage.Name -eq "ja-JP" -or $Japanese -eq $true ) { - Write-Host - Write-Host "エラー: Powershellを管理者として実行する必要があります。" - Write-Host - Exit - } - else { - Write-Host - Write-Host "Error: You need to be running Powershell as Administrator." - Write-Host - Exit - } + Write-Host + Write-Host $Error_NeedAdministratorPriv -ForegroundColor White -BackgroundColor Red + Write-Host + Exit } } else { #Trying to run live analysis on Mac or Linux - if ( $HostLanguage.Name -eq "ja-JP" -or $Japanese -eq $true ) { - Write-Host - Write-Host "エラー: ライブ調査はWindowsにしか対応していません。" - Write-Host - Exit - } - else { - Write-Host - Write-Host "Error: Live Analysis is only supported on Windows" - Write-Host - Exit - } + Write-Host + Write-Host $Error_NotSupport_LiveAnalysys -ForegroundColor White -BackgroundColor Red + Write-Host + Exit } } @@ -1802,24 +1759,16 @@ if ( $ShowContributors -eq $true ) { if ( $LiveAnalysis -eq $true -and $IsDC -eq $true ) { - if ($HostLanguage.Name -eq "ja-JP" -or $Japanese -eq $true) { - Write-Host - Write-Host "注意:ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。" -ForegroundColor White -BackgroundColor Red - exit - } Write-Host - Write-Host "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis." -ForegroundColor White -BackgroundColor Red + Write-Host $Warn_DC_LiveAnalysis -ForegroundColor Black -BackgroundColor Yellow + Write-Host exit } if ( $LiveAnalysis -eq $true -and $LogFile -ne "" ) { - if ($HostLanguage.Name -eq "ja-JP" -or $Japanese -eq $true) { - Write-Host - Write-Host "エラー:「-LiveAnalysis `$true」 と「-LogFile」を同時に指定できません。" -ForegroundColor White -BackgroundColor Red - exit - } Write-Host - Write-Host "Error: you cannot specify -LiveAnalysis `$true and -LogFile at the same time." -ForegroundColor White -BackgroundColor Red + Write-Host $Error_InCompatible_LiveAnalysisAndLogFile -ForegroundColor White -BackgroundColor Red + Write-Host exit } @@ -1843,11 +1792,13 @@ if ( $LiveAnalysis -eq $true ) { "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" ) -} elseif ( $LogDirectory -ne "" ) { +} +elseif ( $LogDirectory -ne "" ) { if ($LogFile -ne "") { Write-Host - Write-Host "エラー:「-LogDirectory」 と「-LogFile」を同時に指定できません。" -ForegroundColor White -BackgroundColor Red + Write-Host $Error_InCompatible_LogDirAndFile -ForegroundColor White -BackgroundColor Red + Write-Host exit } @@ -1855,6 +1806,15 @@ if ( $LiveAnalysis -eq $true ) { } +$Timezone = Get-TimeZone +$TimezoneName = $Timezone.DisplayName #例:(UTC+09:00 Osaka, Sapporo, Tokyo) +$StartParen = $TimezoneName.IndexOf('(') #get position of ( +$EndParen = $TimezoneName.IndexOf(')') #position of ) +$UTCOffset = $TimezoneName.SubString( $StartParen + 1 , $EndParen - $StartParen - 1 ) # UTC+09:00 +if ( $UTC -eq $true ) { + $UTCOffset = "UTC" +} + foreach ( $LogFile in $evtxFiles ) { if ( $EventIDStatistics -eq $true ) { @@ -1865,7 +1825,7 @@ foreach ( $LogFile in $evtxFiles ) { if ( $LogonTimeline -eq $true ) { - Create-LogonTimeline + Create-LogonTimeline $UTCOffset }