Kindly run this script as " Local System User ".
Run this script as Custom Monitoring for better output.
this script has been scanned with virustotal.com and xcitium verdict cloud.
PYTHON SCRIPT FILE SHA1 VALUE - 8188e627f90d7689e9629fc7a0c04c4819bfad0b
JSON FILE SHA1 VALUE - b1073b1f365662608bf37b81dd934eeca68fb1fb
import os
import re
import ctypes
import getpass
import time
import subprocess
from subprocess import PIPE, Popen
import sys
import difflib
import socket
import ssl
cmd_off='wevtutil qe Security "/q:*[System [(EventID=4634)]]" /rd:true /f:text /c:1'
cmd_on='wevtutil qe Security "/q:*[System [(EventID=4624)]]" /rd:true /f:text /c:1'
Date=[]
Time=[]
Acc_name=[]
Date1=[]
Time1=[]
Acc_name1=[]
flag=0
try:
workdir=os.environ['PROGRAMDATA']+r'\temp'
if not os.path.exists(workdir):
os.mkdir(workdir)
except:
workdir=os.environ['SYSTEMDRIVE']
New_ON=workdir+r"\New_LogOn.txt"
New_Off=workdir+r"\New_LogOff.txt"
Old_ON=workdir+r"\Old_LogOn.txt"
Old_Off=workdir+r"\Old_LogOff.txt"
File_To_Send=workdir+r"\Report.txt"
def alert(arg):
sys.stderr.write("%d%d%d" % (arg, arg, arg))
def command(CMD):
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
if err:
print(err)
else:
return out
userout = command('query user')
username = re.findall("(.*)Active",userout)[0].split()[0]
def logon(file0):
out=command(cmd_on)
if out:
user = username
Acc_name.append("Account Name : "+user)
gt=re.findall('Date:(.*)', out)
date=re.findall('(.*)T', gt[0])
Date.append("Log_On Date : "+date[0].strip())
time=re.findall('T(.*)', gt[0])
Time.append("Log_On Time : "+time[0].strip())
with open(file0, 'w+') as fr:
fr.write(str(Acc_name[0])+"\n")
fr.write(str(Date[0])+"\n")
fr.write(str(Time[0])+"\n")
else:
print "\nFailed to retrieve LOG_ON details\n"
def logoff(file1):
out=command(cmd_off)
if out:
gl=re.findall('Account Name:(.*)', out)
Acc_name1.append("Account Name : "+gl[0].strip())
gt=re.findall('Date:(.*)', out)
date=re.findall('(.*)T', gt[0])
Date1.append("Log_Off Date : "+date[0].strip())
time=re.findall('T(.*)', gt[0])
Time1.append("Log_Off Time : "+time[0].strip())
with open(file1, 'w+') as fr:
fr.write(str(Acc_name1[0])+"\n")
fr.write(str(Date1[0])+"\n")
fr.write(str(Time1[0])+"\n")
else:
print "\nFailed to retrieve LOG_OFF details\n"
def prnt():
with open(File_To_Send, 'a+') as dr:
with open(New_ON, 'r') as de:
for i in de:
dr.write(i)
dr.write("\n")
print "\n"
with open(File_To_Send, 'a+') as dr:
with open(New_Off, 'r') as de:
for i in de:
dr.write(i)
def to_alert(Old_ON, Old_Off, New_ON, New_Off):
flag=0
with open(Old_ON) as file:
data=file.read()
with open(New_ON) as file:
data2=file.read()
text1Lines = data.splitlines(1)
text2Lines = data2.splitlines(1)
diffInstance = difflib.Differ()
diffList = list(diffInstance.compare(text1Lines,text2Lines ))
for line in diffList:
if line[0] == '+':
flag=1
with open(Old_Off) as file:
data=file.read()
with open(New_Off) as file:
data2=file.read()
text1Lines = data.splitlines(1)
text2Lines = data2.splitlines(1)
diffInstance = difflib.Differ()
diffList = list(diffInstance.compare(text1Lines,text2Lines ))
for line in diffList:
if line[0] == '+':
flag=1
return flag
def file_change():
open(workdir+r"\count.txt", 'a').close()
os.rename(workdir+r"\New_LogOn.txt",workdir+r"\Old_LogOn.txt" )
os.rename(workdir+r"\New_LogOff.txt",workdir+r"\Old_LogOff.txt" )
os.remove(File_To_Send)
def rem_change():
os.remove(workdir+r"\Old_LogOn.txt")
os.remove(workdir+r"\Old_LogOff.txt")
os.rename(workdir+r"\New_LogOn.txt",workdir+r"\Old_LogOn.txt" )
os.rename(workdir+r"\New_LogOff.txt",workdir+r"\Old_LogOff.txt" )
if os.path.isfile(File_To_Send):
os.remove(File_To_Send)
def txt_send():
with open(File_To_Send, 'r') as rr:
contents =rr.read()
c1=re.findall("Account Name :(.*)",contents)
c2=set(c1)
c3=list(c2)
kk=', '.join(c3)
return kk,contents
if os.path.isfile(workdir+r"\count.txt"):
logon(New_ON)
logoff(New_Off)
val=to_alert(Old_ON, Old_Off, New_ON, New_Off)
if val>0:
print "New User has logged in or Logged off within the time interval.Please find the details below."
prnt()
kp,cont1=txt_send()
if 'SYSTEM' and 'user' in kp:
print(cont1.strip())
alert(0)
else:
print(cont1.strip())
alert(1)
else:
alert(0)
print "\nNo User has logged in or Logged off within the time interval.\n"
rem_change()
else:
print "Running this procedure for the first time in this Endpoint."
logon(New_ON)
logoff(New_Off)
prnt()
kp,cont1=txt_send()
if os.path.isfile(File_To_Send):
pass
else:
print "Failed to generate report file\n"
file_change()
alert(1)
Comments