script to Alert if user logon or logoff

Download JSON Download Python

Ratings

Release Time

03/22/2024

Downloads

347 times

Update Time

05/24/2025

Views

434 times

Share-it:

Tags

No results found.

Kindly run this script as " Local System User ".

Run this script as Custom Monitoring for better output.

this script has been scanned with virustotal.com and xcitium verdict cloud.

PYTHON SCRIPT FILE SHA1 VALUE - 8188e627f90d7689e9629fc7a0c04c4819bfad0b

JSON FILE SHA1 VALUE - b1073b1f365662608bf37b81dd934eeca68fb1fb

Procedure's Instructions

import os
import re
import ctypes
import getpass
import time
import subprocess
from subprocess import PIPE, Popen
import sys
import difflib
import socket
import ssl

cmd_off='wevtutil qe Security "/q:*[System [(EventID=4634)]]" /rd:true /f:text /c:1'
cmd_on='wevtutil qe Security "/q:*[System [(EventID=4624)]]" /rd:true /f:text /c:1'
Date=[]
Time=[]
Acc_name=[]
Date1=[]
Time1=[]
Acc_name1=[]
flag=0

try:
    workdir=os.environ['PROGRAMDATA']+r'\temp'
    if not os.path.exists(workdir):
        os.mkdir(workdir)      
except:
    workdir=os.environ['SYSTEMDRIVE']

New_ON=workdir+r"\New_LogOn.txt"
New_Off=workdir+r"\New_LogOff.txt"
Old_ON=workdir+r"\Old_LogOn.txt"
Old_Off=workdir+r"\Old_LogOff.txt"
File_To_Send=workdir+r"\Report.txt"

def alert(arg): 
   sys.stderr.write("%d%d%d" % (arg, arg, arg))

def command(CMD):        
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    from subprocess import PIPE, Popen
    with disable_file_system_redirection():
        OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
        out, err = OBJ.communicate()
        if err:
            print(err)
        else:
            return out
    
userout = command('query user')
username = re.findall("(.*)Active",userout)[0].split()[0]

def logon(file0):
    out=command(cmd_on)
    if out:
        user = username
        Acc_name.append("Account Name : "+user)
        gt=re.findall('Date:(.*)', out)
        date=re.findall('(.*)T', gt[0])
        Date.append("Log_On Date : "+date[0].strip())
        time=re.findall('T(.*)', gt[0])
        Time.append("Log_On Time : "+time[0].strip())
        with open(file0, 'w+') as fr:
            fr.write(str(Acc_name[0])+"\n")
            fr.write(str(Date[0])+"\n")
            fr.write(str(Time[0])+"\n")
    else:
        print "\nFailed to retrieve LOG_ON details\n"

def logoff(file1):
    out=command(cmd_off)
    if out:
        gl=re.findall('Account Name:(.*)', out)
        Acc_name1.append("Account Name : "+gl[0].strip())
        gt=re.findall('Date:(.*)', out)
        date=re.findall('(.*)T', gt[0])
        Date1.append("Log_Off Date : "+date[0].strip())
        time=re.findall('T(.*)', gt[0])
        Time1.append("Log_Off Time : "+time[0].strip())
        with open(file1, 'w+') as fr:
            fr.write(str(Acc_name1[0])+"\n")
            fr.write(str(Date1[0])+"\n")
            fr.write(str(Time1[0])+"\n")

else:
        print "\nFailed to retrieve LOG_OFF details\n"

def prnt():
    with open(File_To_Send, 'a+') as dr:
        with open(New_ON, 'r') as de:
            for i in de:
                dr.write(i)
        dr.write("\n")
    print "\n"

with open(File_To_Send, 'a+') as dr:
        with open(New_Off, 'r') as de:
            for i in de:
                dr.write(i)
        
def to_alert(Old_ON, Old_Off, New_ON, New_Off):
    flag=0
    with open(Old_ON) as file:
        data=file.read()
        with open(New_ON) as file:
                data2=file.read()
                text1Lines = data.splitlines(1)
                text2Lines = data2.splitlines(1)
                diffInstance = difflib.Differ()
                diffList = list(diffInstance.compare(text1Lines,text2Lines ))
                for line in diffList:
                        if line[0] == '+':
                                flag=1

with open(Old_Off) as file:
        data=file.read()
        with open(New_Off) as file:
                data2=file.read()
                text1Lines = data.splitlines(1)
                text2Lines = data2.splitlines(1)
                diffInstance = difflib.Differ()
                diffList = list(diffInstance.compare(text1Lines,text2Lines ))
                for line in diffList:
                                    if line[0] == '+':
                                            flag=1

return flag
           
def file_change():
    open(workdir+r"\count.txt", 'a').close()
    os.rename(workdir+r"\New_LogOn.txt",workdir+r"\Old_LogOn.txt" )
    os.rename(workdir+r"\New_LogOff.txt",workdir+r"\Old_LogOff.txt" )
    os.remove(File_To_Send)

def rem_change():
    os.remove(workdir+r"\Old_LogOn.txt")
    os.remove(workdir+r"\Old_LogOff.txt")
    os.rename(workdir+r"\New_LogOn.txt",workdir+r"\Old_LogOn.txt" )
    os.rename(workdir+r"\New_LogOff.txt",workdir+r"\Old_LogOff.txt" )
    if os.path.isfile(File_To_Send):
        os.remove(File_To_Send)

def txt_send():
    with open(File_To_Send, 'r') as rr:
            contents =rr.read()
            c1=re.findall("Account Name :(.*)",contents)
            c2=set(c1)
            c3=list(c2)
            kk=', '.join(c3)
            return kk,contents

if os.path.isfile(workdir+r"\count.txt"):
    logon(New_ON)
    logoff(New_Off)
    val=to_alert(Old_ON, Old_Off, New_ON, New_Off)

if val>0:
        print "New User has logged in or Logged off within the time interval.Please find the details below."
        prnt()
        kp,cont1=txt_send()
        if 'SYSTEM' and 'user' in kp:
            print(cont1.strip())
            alert(0)
        else:
            print(cont1.strip())
            alert(1)
    else:
        alert(0)
        print "\nNo User has logged in or Logged off within the time interval.\n"
    rem_change()
else:
    print "Running this procedure for the first time in this Endpoint."
    logon(New_ON)
    logoff(New_Off)
    prnt()
    kp,cont1=txt_send()
    
    if os.path.isfile(File_To_Send):
        pass
    else:
        print "Failed to generate report file\n"
    file_change()
    alert(1)

Comments

No Comments.

script to Alert if user logon or logoff

Comments

Leave a Comment