From 829547ce6f42097cfdfe5d5cf2af581ab52aa95e Mon Sep 17 00:00:00 2001 From: Yamato Security Date: Tue, 25 May 2021 06:57:14 +0900 Subject: [PATCH] Show-Contributors JP translation --- Config/Language/en.ps1 | 9 +++++++++ Config/Language/ja.ps1 | 9 +++++++++ yea-security-timeline.ps1 | 33 ++++++--------------------------- 3 files changed, 24 insertions(+), 27 deletions(-) diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1 index 73172550..64fbae76 100644 --- a/Config/Language/en.ps1 +++ b/Config/Language/en.ps1 @@ -325,3 +325,12 @@ $Create_LogonTimeline_TypeOther = "Other Type Logons:" +#function Show-Contributors +$Show_Contributors = +"Contributors: + +DustInDark - Localization, Japanese Translations +Tsubokku - Japanese Translations + +Please contribute to this project for fame and glory! +" \ No newline at end of file diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1 index 22b84886..7cebe53d 100644 --- a/Config/Language/ja.ps1 +++ b/Config/Language/ja.ps1 @@ -326,3 +326,12 @@ $Create_LogonTimeline_Type12 = "タイプ 12 キャッシュされた認証情 $Create_LogonTimeline_Type13 = "タイプ 13 キャッシュされた認証情報によるロック解除のログオン (例:DCに接続できない場合のロック解除またはRDP再接続):" $Create_LogonTimeline_TypeOther = "その他のタイプのログオン:" +#function Show-Contributors +$Show_Contributors = +"コントリビューター: + +DustInDark - ローカライゼーション、和訳 +つぼっく - 和訳 + +コントリビューターを募集しています! +" \ No newline at end of file diff --git a/yea-security-timeline.ps1 b/yea-security-timeline.ps1 index 871b8f2e..9c0eaa96 100755 --- a/yea-security-timeline.ps1 +++ b/yea-security-timeline.ps1 @@ -25,6 +25,7 @@ https://github.com/yamatosecurity # # Inspired by Eric Conrad's DeepBlueCLI (https://github.com/sans-blue-team/DeepBlueCLI) # Much help from the Windows Event Log Analysis Cheatsheets by Steve Anson (https://www.forwarddefense.com/en/article/references-pdf) +# and event log info from www.ultimatewindowssecurity.com param ( [bool]$Japanese = $false, @@ -53,10 +54,7 @@ $ProgramStartTime = Get-Date #Functions: function Show-Contributors { Write-Host - Write-Host "Contributors:" - Write-Host "DustInDark - Localization" - Write-Host - Write-Host "Please contribute to this project for fame and glory!" + Write-Host $Show_Contributors -ForegroundColor Cyan Write-Host } @@ -184,6 +182,8 @@ if ( $EuropeDateFormat -eq $true ) { } function EventInfo ($eventIDNumber) { +# TODO +# - Add all security event IDs from https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx [hashtable]$return = @{} @@ -269,7 +269,7 @@ function EventInfo ($eventIDNumber) { function Create-EventIDStatistics { - #TODO: + # TODO: # - Implement save-output # - Add comments to event IDs # - Explicitly output results in a table @@ -609,8 +609,7 @@ function Create-LogonTimeline { } } - - + } foreach ( $event in $logs ) { @@ -1106,26 +1105,6 @@ function Create-Timeline { $timestamp = $event.TimeCreated.ToString($DateFormat) - - #Filter out SYSTEM, DWM-X, DefaultAppPool, IUSR and machine accounts (ending in $) Not using the SubectUserName anymore as an attacker could create a username as DWM-1, etc.. and bypass detection. - <# - if ($msgSubjectUserName -ne "SYSTEM" -and - $msgSubjectUserName -ne "IUSR" -and - $msgSubjectUserName -ne "DWM-1" -and - $msgSubjectUserName -ne "DWM-2" -and - $msgSubjectUserName -ne "DWM-3" -and - $msgSubjectUserName -ne "DWM-4" -and - $msgSubjectUserName -ne "DWM-5" -and - $msgSubjectUserName -ne "DWM-6" -and - $msgSubjectUserName -ne "LOCAL SERVICE" -and - $msgSubjectUserName -ne "NETWORK SERVICE" -and - $msgSubjectUserName -ne "DefaultAppPool" -and - $msgSubjectUserName[-1] -ne "$" - ){ - $printMSG = " 4672 - ADMIN LOGON by user: $msgSubjectUserName Logon ID: $msgSubjectLogonId" - } - #> - if ($msgSubjectDomainName -ne "NT AUTHORITY" -and $msgSubjectDomainName -ne "Window Manager" -and $msgSubjectDomainName -ne "IIS APPPOOL" -and