Generate alert if user enters Recovery key or Password to access Bitlocker

Download JSON Download Python

Ratings

Release Time

02/28/2018

Downloads

1449 times

Update Time

07/15/2025

Views

1187 times

Share-it:

Tags

bitlocker Recovery key

This Script will generate alert whenever User enters password or Recovery key to access Bitlocker Encryption.

Run this Script as "CUSTOM MONITORING"

Procedure's Instructions

# Please use "alert(1)" to turn on the monitor(trigger an alert)
# Please use "alert(0)" to turn off the monitor(disable an alert)

import os
import sys
import _winreg
import filecmp
import difflib

def alert(arg):
    sys.stderr.write("%d%d%d" % (arg, arg, arg))

s=0
cmd=r"get-winevent -FilterHashtable @{Logname='Microsoft-Windows-Bitlocker/Bitlocker Management';ID=782}  -MaxEvents 1"
    
try:
        workdir=os.environ['PROGRAMDATA']+r'\temp'
        if not os.path.exists(workdir):
            os.mkdir(workdir)      
except:
        workdir=os.environ['SYTEMDRIVE']

old_file=workdir+r'\old_Bitlocker.txt'
new_file=workdir+r'\new_Bitlocker.txt'

def compare(event_logs):
    
    flag=0
    if False==0:
        
        with open(old_file) as file1:
           with open(new_file) as file2:
               diff = set(file1).difference(file2)
               if not diff:
                   s=0
                   return s

else:
                   s=1
                   print event_logs
                   return s

def create_old(cmd):
    cmd1=r"powershell.exe "+cmd
    
    event_logs=os.popen(cmd1).read()

if not event_logs:
        print "Couldn't check for Event Logs with old file creation"
    else:
        with open(old_file, "wb") as f:
            f.write(event_logs)

def Bitlocker(cmd):
    import os
    import re
    import sys
    import xml.etree.ElementTree as ET
    import getpass
    import socket
    cmd1=r"powershell.exe "+cmd
    
    event_logs=os.popen(cmd1).read()

if not event_logs:
        df=0
        print "Couldn't check for Event Logs"
        return df
    else:
        with open(new_file, "wb") as f:
            f.write(event_logs)
        v=compare(event_logs)
        return v

def remove():
    os.remove(old_file)
    os.rename(new_file,old_file)

if os.path.exists(workdir+r'\old_Bitlocker.txt'):
    df=Bitlocker(cmd)
else:
    create_old(cmd)
    df=Bitlocker(cmd)

if df>0:
    print "\nBitlocker has been recently Unlocked\n"
    alert(1)
else :
    print "\nNo Bitlocker has been recently Unlocked\n"
    alert(0)

remove()

 
# Please use "alert(1)" to turn on the monitor(trigger an alert)
# Please use "alert(0)" to turn off the monitor(disable an alert)
​
​
import os
import sys
import _winreg
import filecmp
import difflib
​
def alert(arg):
    sys.stderr.write("%d%d%d" % (arg, arg, arg))
​
s=0
cmd=r"get-winevent -FilterHashtable @{Logname='Microsoft-Windows-Bitlocker/Bitlocker Management';ID=782}  -MaxEvents 1"
    
try:
        workdir=os.environ['PROGRAMDATA']+r'\temp'
        if not os.path.exists(workdir):
            os.mkdir(workdir)      
except:
        workdir=os.environ['SYTEMDRIVE']
​
old_file=workdir+r'\old_Bitlocker.txt'
new_file=workdir+r'\new_Bitlocker.txt'
​
def compare(event_logs):
    
    flag=0
    if False==0:
        
        with open(old_file) as file1:
           with open(new_file) as file2:
               diff = set(file1).difference(file2)
               if not diff:
                   s=0
                   return s
​
               else:
                   s=1
                   print event_logs
                   return s
​
                     
def create_old(cmd):
    cmd1=r"powershell.exe "+cmd
    
    event_logs=os.popen(cmd1).read()
​
    if not event_logs:
        print "Couldn't check for Event Logs with old file creation"
    else:
        with open(old_file, "wb") as f:
            f.write(event_logs)
​
​
def Bitlocker(cmd):
    import os
    import re
    import sys
    import xml.etree.ElementTree as ET
    import getpass
    import socket
    cmd1=r"powershell.exe "+cmd
    
    event_logs=os.popen(cmd1).read()
​
    if not event_logs:
        df=0
        print "Couldn't check for Event Logs"
        return df
    else:
        with open(new_file, "wb") as f:
            f.write(event_logs)
        v=compare(event_logs)
        return v
​
def remove():
    os.remove(old_file)
    os.rename(new_file,old_file)
    
​
if os.path.exists(workdir+r'\old_Bitlocker.txt'):
    df=Bitlocker(cmd)
else:
    create_old(cmd)
    df=Bitlocker(cmd)
​
​
if df>0:
    print "\nBitlocker has been recently Unlocked\n"
    alert(1)
else :
    print "\nNo Bitlocker has been recently Unlocked\n"
    alert(0)
​
remove()
​

Comments

No Comments.

Generate alert if user enters Recovery key or Password to access Bitlocker

Comments

Leave a Comment