commit 3bd5532f092f3e77a9b4751564e884352eb3cf0c
parent 917dcbb2a2a7047afe3c97ed121fca2d5e5130db
Author: Administrator@GAMER.EPIC <Administrator@GAMER.EPIC>
Date: Sun, 7 Jun 2020 17:31:43 -0700
added event logs saving
Diffstat:
3 files changed, 82 insertions(+), 2 deletions(-)
diff --git a/CyberPolice.bat b/CyberPolice.bat
@@ -3,7 +3,7 @@
SETLOCAL EnableDelayedExpansion
set functions=checkfiles usermgmtff userprop services firewall features passwordpol audit lockout rdp power sessions shares checkdns uac windef backuplsp lsp regharden verifysys auto logging
-set analysisFunctions=allgpo listgpos listdisabledgpos gpoinfo gporeport backupgpos logfirewall logservices logusers netstat checksync manual
+set analysisFunctions=allgpo listgpos listdisabledgpos gpoinfo gporeport backupgpos logfirewall logservices logusers netstat backupeventlogs checksync manual
for /F "tokens=1,2 delims=#" %%a in ('"prompt #$H#$E# & echo on & for %%b in (1) do rem"') do (
set "DEL=%%a"
@@ -854,6 +854,10 @@ net user
net user > %output%\logs\userlog.txt
goto:EOF
+:backupeventlogs
+%powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/SaveEventLogs.ps1"
+goto:EOF
+
:createFile
%powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/CreateFile.ps1" %~1 %~2
goto:EOF
diff --git a/PowershellScripts/SaveEventLogs.ps1 b/PowershellScripts/SaveEventLogs.ps1
@@ -0,0 +1,68 @@
+Write-Host "CYBER POLICE [Covert Ops] are now going to attempt to backup event logs (last 7 days)..." -ForegroundColor Magenta
+$thispath = Split-Path -parent $MyInvocation.MyCommand.Definition
+$path = Split-Path -parent $thispath
+$output = Get-content $path/CyberPoliceOutput/path.txt
+New-Item -ItemType Directory -Force -Path $output/logs/eventLogsBackup | Out-Null
+
+Set-Variable -Name EventAgeDays -Value 7
+Set-Variable -Name LogNames -Value @("Application", "System", "Security")
+Set-Variable -Name ExportFolder -Value $output\logs\eventLogsBackup\
+
+Set-Variable -Name ServerNames -Value $env:computername
+
+$now=get-date
+$startdate=$now.adddays(-$EventAgeDays)
+
+$quick=0
+
+Write-host "Are you on an AD (Default is No)" -ForegroundColor Yellow
+$Readhost = Read-Host "[Y/N]"
+Switch ($ReadHost) {
+ Y {
+ $ServerNames = Get-ADComputer -Filter * | Format-List name | Out-String
+ $ServerNames = $ServerNames.split(':')[1]
+ $ServerNames = $ServerNames -replace '\s',''
+ $LogNames += "DNS Server"
+ $LogNames += "Directory Service"
+ Write-Host "Ok." -ForegroundColor Green
+ }
+ N { Write-Host "Ok." -ForegroundColor Gray }
+ Default { Write-Host "Ok." -ForegroundColor Gray }
+}
+Write-host "Do you want to save message information... its slower (Default is No)" -ForegroundColor Yellow
+$doQuick = Read-Host "[Y/N]"
+Switch ($doQuick) {
+ Y {
+ $quick=1
+ Write-Host "Ok." -ForegroundColor Green
+ }
+ N {
+ $quick=0
+ Write-Host "Ok." -ForegroundColor Gray }
+ Default {
+ $quick=0
+ Write-Host "Ok." -ForegroundColor Gray }
+}
+Write-host "Found computers:" -ForegroundColor Yellow
+Write-Host $ServerNames -ForegroundColor Cyan
+
+Write-host "Please enter the name of the computer you want to back up the logs of (Case sensitive)" -ForegroundColor Yellow
+$comp = Read-Host "Server Name"
+
+foreach($log in $LogNames)
+{
+ Write-Host Processing $comp\$log -ForegroundColor Yellow
+ $el = get-eventlog -ComputerName $comp -log $log -After $startdate
+ $el_c = $el | Sort-Object TimeGenerated
+ $ExportFile=$ExportFolder + $comp + "-" + $log + "-Log-" + $now.ToString("yyyy-MM-dd---hh-mm-ss") + ".csv"
+ Write-Host Exporting $log Log to $ExportFile
+ if ($quick -eq 1) {
+ $el_c | Select EntryType, TimeGenerated, Source, EventID, MachineName, Message | Export-CSV $ExportFile -NoTypeInfo
+ }
+ else {
+ $el_c | Select EntryType, TimeGenerated, Source, EventID, MachineName | Export-CSV $ExportFile -NoTypeInfo
+ }
+ Write-Host Complete!
+ Write-Host Done exporting $log on $comp! -ForegroundColor Green
+}
+Write-Host "The CYBER POLICE [Covert Ops]: done backing up event logs for" + $comp -ForegroundColor Magenta+
\ No newline at end of file
diff --git a/PowershellScripts/UserList.ps1 b/PowershellScripts/UserList.ps1
@@ -21,8 +21,15 @@ Switch ($ReadHost) {
New-Item $path2/usersAD.txt -ItemType file | Out-Null
Write-Host "Created usersAD.txt file!" -ForegroundColor Yellow
}
+ if (!(Test-Path "$path2/ADConnectedComputers.txt"))
+ {
+ New-Item $path2/ADConnectedComputers.txt -ItemType file | Out-Null
+ Write-Host "Created ADConnectedComputers.txt file!" -ForegroundColor Yellow
+ }
+ Get-ADComputer -Filter * -Properties ipv4Address, OperatingSystem, OperatingSystemServicePack | Format-List name, ipv4*, oper* | Out-File -FilePath $path2/ADConnectedComputers.txt
+ Write-Host "[AD] Connected Computers added to text file!" -ForegroundColor Yellow;
Get-ADUser -Filter * | Out-File -FilePath $path2/usersAD.txt
- Write-Host "AD Users added to text file!" -ForegroundColor Yellow;
+ Write-Host "[AD] Users added to text file!" -ForegroundColor Yellow;
}
N { Write-Host "Ok." -ForegroundColor Gray }
Default { Write-Host "Ok." -ForegroundColor Gray }
