This Script will generate alert whenever User enters password or Recovery key to access Bitlocker Encryption.
Run this Script as "CUSTOM MONITORING"
# Please use "alert(1)" to turn on the monitor(trigger an alert)
# Please use "alert(0)" to turn off the monitor(disable an alert)
import os
import sys
import _winreg
import filecmp
import difflib
def alert(arg):
sys.stderr.write("%d%d%d" % (arg, arg, arg))
s=0
cmd=r"get-winevent -FilterHashtable @{Logname='Microsoft-Windows-Bitlocker/Bitlocker Management';ID=782} -MaxEvents 1"
try:
workdir=os.environ['PROGRAMDATA']+r'\temp'
if not os.path.exists(workdir):
os.mkdir(workdir)
except:
workdir=os.environ['SYTEMDRIVE']
old_file=workdir+r'\old_Bitlocker.txt'
new_file=workdir+r'\new_Bitlocker.txt'
def compare(event_logs):
flag=0
if False==0:
with open(old_file) as file1:
with open(new_file) as file2:
diff = set(file1).difference(file2)
if not diff:
s=0
return s
else:
s=1
print event_logs
return s
def create_old(cmd):
cmd1=r"powershell.exe "+cmd
event_logs=os.popen(cmd1).read()
if not event_logs:
print "Couldn't check for Event Logs with old file creation"
else:
with open(old_file, "wb") as f:
f.write(event_logs)
def Bitlocker(cmd):
import os
import re
import sys
import xml.etree.ElementTree as ET
import getpass
import socket
cmd1=r"powershell.exe "+cmd
event_logs=os.popen(cmd1).read()
if not event_logs:
df=0
print "Couldn't check for Event Logs"
return df
else:
with open(new_file, "wb") as f:
f.write(event_logs)
v=compare(event_logs)
return v
def remove():
os.remove(old_file)
os.rename(new_file,old_file)
if os.path.exists(workdir+r'\old_Bitlocker.txt'):
df=Bitlocker(cmd)
else:
create_old(cmd)
df=Bitlocker(cmd)
if df>0:
print "\nBitlocker has been recently Unlocked\n"
alert(1)
else :
print "\nNo Bitlocker has been recently Unlocked\n"
alert(0)
remove()
Comments