Results 1 to 12 of 12

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Registered User
    Join Date: Jun:2013
    Location: >.<
    Posts: 6,182

    Èçõîä îò power shell script

    Äàéòå ñúâåò çà ñîðòèðàíå è èçâåæäàíå íà èçõîäà îò òîçè ôàéë â äîáðå ïîäðåäåí xls ôàéë (íàáúðçî íà êîéòî íå ìó ñå ÷åòå - êîäà ñúáèðà îò ëîãîâåòå âñè÷êè logoff/login ïî çàäàäåí èíòåðâàë îò âðåìå, è ãè èçâåæäà â êîíçîëàòà êàòî ñòàòèñòèêà (ïîòðåáèòåë, òèï íà îïåðàöèÿòà, àäðåñ è ò.í.):

    Code:
    # Authors: Ryan DeVries, Drew Bonasera, Scott Smith              
    # Rochester Institute of Technology - Computer System Forensics 
    
    # Variables 
    # Reads the hostname, sets to the local hostname if left blank 
    $hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)" 
    if ($hostname.length -eq 0){$hostname = $env:computername} 
     
    # Reads the start date, sets to 1/1/2000 if left blank 
    $startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000)" 
    if ($startTmp.length -eq 0){$startTmp = "1/1/2000"} 
    $startDate = get-date $startTmp 
     
    # Reads the end date, sets to the current date and time if left blank 
    $endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)" 
    if ($endTmp.length -eq 0){$endTmp = get-date} 
    $endDate = get-date $endTmp 
     
    # Reads a Yes or No response to print only the failed login attempts, defaults to No 
    $scope = read-host "Print only failed logins (Y/N, default N)" 
    if ($scope.length -eq 0){$scope = "N"} 
     
    # Writes a line with all the parameters selected for report 
    write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n" 
     
    # Store each event from the Security Log with the specificed dates and computer in an array 
    $log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate 
     
    # Loop through each security event, print only failed login attempts 
    if ($scope -match "Y"){ 
        foreach ($i in $log){ 
            # Logon Failure Events, marked red 
            # Local 
            if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ 
                write-host "Type:  Local Logon`tDate:  "$i.TimeGenerated "`tStatus:  Failure`tUser:  "$i.ReplacementStrings[5] -foregroundcolor "red" 
            } 
            # Remote 
            if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ 
                write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor "red" 
            } 
        }         
    } 
    # Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote 
    else{ 
        foreach ($i in $log){ 
            # Logon Successful Events 
            # Local (Logon Type 2) 
            if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){ 
                write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] 
            } 
            # Remote (Logon Type 10) 
            if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){ 
                write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[18] 
            } 
             
            # Logon Failure Events, marked red 
            # Local 
            if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ 
                write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red" 
            } 
            # Remote 
            if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ 
                write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor "red" 
            } 
             
            # Logoff Events 
            if ($i.EventID -eq 4647 ){ 
                write-host "Type: Logoff`t`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[1] 
            }  
        } 
    }

  2. #2
    Registered User zero's Avatar
    Join Date: Nov:2002
    Location: íÿêúäå â Ñîôèÿ
    Posts: 2,169
    Íÿìà ëåñåí íà÷èí äà ãåíåðèðàø èñòèíñêè åêñåëñêè ôàéë ñ powershell, çàòîâà òîâà êîåòî òè òðÿáâà å export-csv òîåñò äà çàïèøåø èçõîäà îò òîçè ñêðèïò â .csv ôàéë êîéòî ïîñëå ñå ÷åòå â åêñåë. Ðàçãëåäàé ïðèìåðèòå àêî çàäúëáàåø ìîæå äà ïðàâèø ôîðìàò íà äàííèòå îò ñêðèïòà è ïîñëå äà ñå çàïèñâàò èëè "àïåíäâàø" êúì ôàéë. Âàðèàíòèòå ñà ìíîãî.

  3. #3
    Registered User
    Join Date: Jun:2013
    Location: >.<
    Posts: 6,182
    Quote Originally Posted by zero View Post
    Íÿìà ëåñåí íà÷èí äà ãåíåðèðàø èñòèíñêè åêñåëñêè ôàéë ñ powershell, çàòîâà òîâà êîåòî òè òðÿáâà å export-csv òîåñò äà çàïèøåø èçõîäà îò òîçè ñêðèïò â .csv ôàéë êîéòî ïîñëå ñå ÷åòå â åêñåë. Ðàçãëåäàé ïðèìåðèòå àêî çàäúëáàåø ìîæå äà ïðàâèø ôîðìàò íà äàííèòå îò ñêðèïòà è ïîñëå äà ñå çàïèñâàò èëè "àïåíäâàø" êúì ôàéë. Âàðèàíòèòå ñà ìíîãî.
    Íà ìåí ïîíà÷àëî ìè å ÎÊ è â ñòàíäàðòåí òåêñòîâ ôàéë è òàêà äà ñè ãî ïîëçâàì, íî èñêàõ äà å ïðåãëåäíî. Ìèñëÿ, ÷å ùå ãî ìú÷à â html ôîðìàò, ìàé ùå ìè å ïî-ëåñíî, âåðîÿòíî.

  4. #4
    Registered User zero's Avatar
    Join Date: Nov:2002
    Location: íÿêúäå â Ñîôèÿ
    Posts: 2,169
    Íèùî íå òè ïðå÷è äà âèäèø êàê ùå èçãëåæäà .csv ñè å ñòàíäàðòåí ôîðìàò êîéòî ñå ÷åòå îò åêñåëà. Ïúê ïîñëå ñè ðåøàâàé êàêâî äà ãî ïðàâèø

    Code:
    PS C:\>èìåòî íà ñêðèïòà | Export-Csv -Path "logdata.csv"

  5. #5
    Registered User autosvet's Avatar
    Join Date: Sep:2004
    Location: Edinburgh
    Posts: 7,748
    Ñ òîçè êîä íÿìà äà ñòàíå çàùîòî "write-host" ïèøå ñàìî íà êîíçîëàòà ùå òè òðÿáâà write-output. È òåçè 0 êúäåòî ãè å íàáèë íàâñÿêúäå ... Òðÿáâà äà ñå ïðàâè ïðîâåðêà çà âúâåäåíèòå äàííè è äà òå âðúùà äà ïîâòàðÿø àêî íå ñè âúâåë íèùî - ïðîâåðêà çà ïðàçåí ñòðèíã, ïàðñâàíå íà ïðîìåíëèâèòå è ò.í.

    Êàòî öÿëî ñêðèïòà íå å íàïèñàí çà òîâà çà êîåòî òè ãî èñêàø è àêî ñúì òè ðàçáðàë èäåÿòà òðÿáâà äà ñå ïðåíàïèøå è äà ìó ñå ïðîìåíè ëîãèêàòà.

    Èíà÷å íà ìàøèíà ñ èíñòàëèðàí Åêñåë ìîæåø äà ãåíåðèðàø COM îáåêò çà Åêñåë è ïðîãðàìíî äà ñè ïîïúëíèø ôàèëà ïðåç âñè÷êî .NET-ñêî âêëþ÷èòåëíî PowerShell. È íå òå ñúâåòâàì äà ïîëçâàø xls, à xlsx.

    Êîÿ âåðñèÿ íà PowerShell èìàø íà ìàøèíèòå?
    Last edited by autosvet; 12th December 2016 at 01:34.

  6. #6
    Registered User
    Join Date: Jun:2013
    Location: >.<
    Posts: 6,182
    Ñêðèïòà íå å ïèñàí îò ìåí, è çà òîâà óìèøëåíî ñúì áîëäíàë è ïîñî÷èë ñ ÷åðâåíî àâòîðèòå (âñå ïàê êîãàòî íåùî íå å ìîå, òðÿáâà äà ñå ïîñî÷àò àâòîðèòå).
    Èíàê ñêðèïòà ïðàâè òî÷íî òîâà êîåòî ñúì îïèñàë: çà îïðåäåëåí èíòåðâàë îò âðåìå ïîñî÷âà âñåêè îïèò çà ëîãèí (óñïåøåí è íåóñïåøåí (âòîðèÿ å â ÷åðâåíî êàêòî ñå âèæäà â êîäà)), èìåòî íà ïîòðåáèòåëÿ è ò.í.
    ÍÅ ðàáîòè íà PS1 (ïîíå ïðè ìåí îòêàçà), íî îò 2ðà íàãîðå ðàáîòè. Èíàê ñúì ñ PS1 íà åäíàòà ìàøèíà, è PS2+ íà äðóãèòå 7 ÎÑ-à íà êîèòî ìè òðÿáâà òàçè ïðîâåðêà.
    Àêî èìàø íÿêàêâî ïðåäëîæåíèå, ùå ñúì äîâîëåí äà ñïîäåëèø. Çà ìåí íå å ïðîáëåì èçõîäíèÿ ðåçóëòàò äà å âúâ âñÿêî ïðåãëåäíî íà âèä ñúñòîÿíèå, çàùîòî âúç îñíîâà íà íåãî ùå ñå îïðåäåëÿò çàäà÷è íà íÿêîëêî ÷îâåêà.

    Ïðèìåðíà ìàøèíà íà êîÿòî òåñòâàì:
    Code:
    PS D:\> Get-Host
    
    
    Name             : ConsoleHost
    Version          : 5.1.14393.206
    InstanceId       : 752a9633-eb52-4da1-bcc2-b8cecc2ec0d5
    UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
    CurrentCulture   : en-US
    CurrentUICulture : en-US
    PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
    DebuggerEnabled  : True
    IsRunspacePushed : False
    Runspace         : System.Management.Automation.Runspaces.LocalRunspace
    è èçõîäà íà íåÿ:

    Code:
    PS D:\> .\test.ps1
    Enter the IP or hostname of the computer you wish to scan (Leave blank for local):
    Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000): 11/12/2016
    Enter the end date to scan to (MM/DD/YYYY, default current time):
    Print only failed logins (Y/N, default N):
    Hostname:  ss4       Start:  11.12.2016 12:00:00 AM  End:  12.12.2016 10:53:35 AM    Only Failed Logins:  N
    
    Type: Local Logon       Date:  12.12.2016 10:53:25 AM   Status: Success User:  nav1
    Type: Local Logon       Date:  12.12.2016 10:53:25 AM   Status: Success User:  nav1
    Type: Local Logon       Date:  12.12.2016 10:53:17 AM   Status: Success User:  DWM-3
    Type: Local Logon       Date:  12.12.2016 10:53:17 AM   Status: Success User:  DWM-3
    Type: Logoff            Date:  12.12.2016 10:53:16 AM   Status: Success User:  1
    Type: Local Logon       Date:  12.12.2016 10:52:40 AM   Status: Success User:  1
    Type: Local Logon       Date:  12.12.2016 10:52:37 AM   Status: Success User:  1
    Type: Local Logon       Date:  12.12.2016 10:52:13 AM   Status: Success User:  DWM-2
    Type: Local Logon       Date:  12.12.2016 10:52:13 AM   Status: Success User:  DWM-2
    Type: Local Logon       Date:  12.12.2016 10:50:35 AM   Status: Success User:  nav1
    Type: Local Logon       Date:  12.12.2016 10:50:35 AM   Status: Success User:  nav1
    Type: Local Logon       Date:  12.12.2016 10:12:05 AM   Status: Success User:  nav1
    Type: Local Logon       Date:  12.12.2016 10:12:05 AM   Status: Success User:  nav1
    PS D:\> PS D:\> .\test.ps1
    Last edited by user313; 12th December 2016 at 10:55.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Copyright © 1999-2011 Õàðäóåð ÁÃ. Âúçìîæíî å ñúäúðæàíèåòî íà òàçè ñòðàíèöà äà å îáåêò íà àâòîðñêè ïðàâà.
iskamPC.com | mobility.BG | Bloody's Techblog | Êðèïòîâàëóòè è ìàéíèíã | 3D Vision Blog | Ìàãàçèí çà åëåêòðîííè öèãàðè