script to Alert if user logon or logoff
Ratings
Release Time
03/22/2024
Downloads
359 times
Update Time
05/28/2025
Views
441 times
Share-it:
Categories
Monitoring
Published on:
a year ago
Tags
No results found.
Kindly run this script as " Local System User ".
Run this script as Custom Monitoring for better output.
this script has been scanned with virustotal.com and xcitium verdict cloud.
PYTHON SCRIPT FILE SHA1 VALUE - 8188e627f90d7689e9629fc7a0c04c4819bfad0b
JSON FILE SHA1 VALUE - b1073b1f365662608bf37b81dd934eeca68fb1fb
Procedure's Instructions
195
1
import os2
import re3
import ctypes4
import getpass5
import time6
import subprocess7
from subprocess import PIPE, Popen8
import sys9
import difflib10
import socket11
import ssl 12
13
cmd_off='wevtutil qe Security "/q:*[System [(EventID=4634)]]" /rd:true /f:text /c:1'14
cmd_on='wevtutil qe Security "/q:*[System [(EventID=4624)]]" /rd:true /f:text /c:1'15
Date=[]16
Time=[]17
Acc_name=[]18
Date1=[]19
Time1=[]20
Acc_name1=[]21
flag=022
23
try:24
workdir=os.environ['PROGRAMDATA']+r'\temp'25
if not os.path.exists(workdir):26
os.mkdir(workdir) 27
except:28
workdir=os.environ['SYSTEMDRIVE']29
30
New_ON=workdir+r"\New_LogOn.txt"31
New_Off=workdir+r"\New_LogOff.txt"32
Old_ON=workdir+r"\Old_LogOn.txt"33
Old_Off=workdir+r"\Old_LogOff.txt"34
File_To_Send=workdir+r"\Report.txt"35
36
def alert(arg): 37
sys.stderr.write("%d%d%d" % (arg, arg, arg))38
39
40
def command(CMD): 41
class disable_file_system_redirection:42
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection43
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection44
def __enter__(self):45
self.old_value = ctypes.c_long()46
self.success = self._disable(ctypes.byref(self.old_value))47
def __exit__(self, type, value, traceback):48
if self.success:49
self._revert(self.old_value)50
from subprocess import PIPE, Popen51
with disable_file_system_redirection():52
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)53
out, err = OBJ.communicate()54
if err:55
print(err)56
else:57
return out58
59
userout = command('query user')60
username = re.findall("(.*)Active",userout)[0].split()[0]61
62
def logon(file0):63
out=command(cmd_on)64
if out:65
user = username66
Acc_name.append("Account Name : "+user)67
gt=re.findall('Date:(.*)', out)68
date=re.findall('(.*)T', gt[0])69
Date.append("Log_On Date : "+date[0].strip())70
time=re.findall('T(.*)', gt[0])71
Time.append("Log_On Time : "+time[0].strip())72
with open(file0, 'w+') as fr:73
fr.write(str(Acc_name[0])+"\n")74
fr.write(str(Date[0])+"\n")75
fr.write(str(Time[0])+"\n")76
else:77
print "\nFailed to retrieve LOG_ON details\n"78
79
80
def logoff(file1):81
out=command(cmd_off)82
if out:83
gl=re.findall('Account Name:(.*)', out)84
Acc_name1.append("Account Name : "+gl[0].strip())85
gt=re.findall('Date:(.*)', out)86
date=re.findall('(.*)T', gt[0])87
Date1.append("Log_Off Date : "+date[0].strip())88
time=re.findall('T(.*)', gt[0])89
Time1.append("Log_Off Time : "+time[0].strip())90
with open(file1, 'w+') as fr:91
fr.write(str(Acc_name1[0])+"\n")92
fr.write(str(Date1[0])+"\n")93
fr.write(str(Time1[0])+"\n")94
95
else:96
print "\nFailed to retrieve LOG_OFF details\n"97
98
99
def prnt():100
with open(File_To_Send, 'a+') as dr:101
with open(New_ON, 'r') as de:102
for i in de:103
dr.write(i)104
dr.write("\n")105
print "\n"106
107
with open(File_To_Send, 'a+') as dr:108
with open(New_Off, 'r') as de:109
for i in de:110
dr.write(i)111
112
def to_alert(Old_ON, Old_Off, New_ON, New_Off):113
flag=0114
with open(Old_ON) as file:115
data=file.read()116
with open(New_ON) as file:117
data2=file.read()118
text1Lines = data.splitlines(1)119
text2Lines = data2.splitlines(1)120
diffInstance = difflib.Differ()121
diffList = list(diffInstance.compare(text1Lines,text2Lines ))122
for line in diffList:123
if line[0] == '+':124
flag=1125
126
with open(Old_Off) as file:127
data=file.read()128
with open(New_Off) as file:129
data2=file.read()130
text1Lines = data.splitlines(1)131
text2Lines = data2.splitlines(1)132
diffInstance = difflib.Differ()133
diffList = list(diffInstance.compare(text1Lines,text2Lines ))134
for line in diffList:135
if line[0] == '+':136
flag=1137
138
return flag139
140
def file_change():141
open(workdir+r"\count.txt", 'a').close()142
os.rename(workdir+r"\New_LogOn.txt",workdir+r"\Old_LogOn.txt" )143
os.rename(workdir+r"\New_LogOff.txt",workdir+r"\Old_LogOff.txt" )144
os.remove(File_To_Send)145
146
147
def rem_change():148
os.remove(workdir+r"\Old_LogOn.txt")149
os.remove(workdir+r"\Old_LogOff.txt")150
os.rename(workdir+r"\New_LogOn.txt",workdir+r"\Old_LogOn.txt" )151
os.rename(workdir+r"\New_LogOff.txt",workdir+r"\Old_LogOff.txt" )152
if os.path.isfile(File_To_Send):153
os.remove(File_To_Send)154
155
def txt_send():156
with open(File_To_Send, 'r') as rr:157
contents =rr.read()158
c1=re.findall("Account Name :(.*)",contents)159
c2=set(c1)160
c3=list(c2)161
kk=', '.join(c3)162
return kk,contents163
164
if os.path.isfile(workdir+r"\count.txt"):165
logon(New_ON)166
logoff(New_Off)167
val=to_alert(Old_ON, Old_Off, New_ON, New_Off)168
169
if val>0:170
print "New User has logged in or Logged off within the time interval.Please find the details below."171
prnt()172
kp,cont1=txt_send()173
if 'SYSTEM' and 'user' in kp:174
print(cont1.strip())175
alert(0)176
else:177
print(cont1.strip())178
alert(1)179
else:180
alert(0)181
print "\nNo User has logged in or Logged off within the time interval.\n"182
rem_change()183
else:184
print "Running this procedure for the first time in this Endpoint."185
logon(New_ON)186
logoff(New_Off)187
prnt()188
kp,cont1=txt_send()189
190
if os.path.isfile(File_To_Send):191
pass192
else:193
print "Failed to generate report file\n"194
file_change()195
alert(1)Leave a Comment
CONTACT US
Call now! 
(972) 649-9012
(972) 649-9012
---
Comments