Update 1.3.4

- Fixed a bug reported by Camel0101 where the number of log entries is not displayed in the Get-UALStatistics command. - Fixed a bug reported by SecurityAura where LogFile.txt gives errors when the default Output directory is not present. - Fixed an issue where the MergeOutput flag is not working correctly for Get-UALGroup and Get-UALSpecific. - As requested by evild3ad, the LastUpdatedDateTime has been added to the Get-MFA command.
invictus-ir · Apr 29, 2024 · 0f6d9cd · 0f6d9cd
1 parent eaa7bad
commit 0f6d9cd
Show file tree

Hide file tree

Showing 10 changed files with 18 additions and 24 deletions.
diff --git a/Microsoft-Extractor-Suite.psd1 b/Microsoft-Extractor-Suite.psd1
@@ -8,7 +8,7 @@ Author = 'Joey Rentenaar & Korstiaan Stam'
 CompanyName = 'Invictus-IR'
 
 # Version number of this module.
-ModuleVersion = '1.3.3' 
+ModuleVersion = '1.3.4' 
 
 # ID used to uniquely identify this module
 GUID = '4376306b-0078-4b4d-b565-e22804e3be01'

diff --git a/Microsoft-Extractor-Suite.psm1 b/Microsoft-Extractor-Suite.psm1
@@ -71,6 +71,10 @@ function EndDate
 $logFile = "Output\LogFile.txt"
 function Write-LogFile([String]$message,$color)
 {
+	$outputDir = "Output"
+	if (!(test-path $outputDir)) {
+		New-Item -ItemType Directory -Force -Name $Outputdir | Out-Null
+	}
 	if ($color -eq "Yellow")
 	{
 		Write-host $message -ForegroundColor Yellow

diff --git a/Scripts/Get-AzureADLogs.ps1 b/Scripts/Get-AzureADLogs.ps1
@@ -280,18 +280,12 @@ function Get-ADAuditLogs {
 		if ($filter) {
 			$filter = " and $filter"
 		}
-		Get-AzureADAuditDirectoryLogs -All $true -Filter "initiatedBy/user/userPrincipalName eq '$Userids' $filter" | Select-Object Id,Category,CorrelationId,Result,ResultReason,ActivityDisplayName,@{N='ActivityDateTime';E={$_.ActivityDateTime.ToString()}},LoggedByService,OperationType,InitiatedBy,TargetResources,AdditionalDetails |
-			ForEach-Object {
-				$_ | ConvertTo-Json -Depth 100
-			} |
-			Out-File -FilePath $filePath -Encoding $Encoding
+		$results = Get-AzureADAuditDirectoryLogs -All $true -Filter "initiatedBy/user/userPrincipalName eq '$Userids' $filter"	
+		$results | ConvertTo-Json -Depth 100 | Out-File -Append $filePath -Encoding $Encoding
 	} 
 	else {
-		Get-AzureADAuditDirectoryLogs -All $true -Filter $filter | Select-Object Id,Category,CorrelationId,Result,ResultReason,ActivityDisplayName,@{N='ActivityDateTime';E={$_.ActivityDateTime.ToString()}},LoggedByService,OperationType,InitiatedBy,TargetResources,AdditionalDetails |
-			ForEach-Object {
-				$_ | ConvertTo-Json -Depth 100
-			} |
-			Out-File -FilePath $filePath -Encoding $Encoding
+		$results = Get-AzureADAuditDirectoryLogs -All $true -Filter $filter
+		$results | ConvertTo-Json -Depth 100 | Out-File -Append $filePath -Encoding $Encoding
 	}
 	Write-logFile -Message "[INFO] Directory audit logs written to $filePath" -Color "Green"
 }
diff --git a/Scripts/Get-AzureActivityLogs.ps1 b/Scripts/Get-AzureActivityLogs.ps1
@@ -221,7 +221,7 @@ function Get-ActivityLogs {
 
 					else {
 						Write-LogFile -Message "[INFO] Successfully retrieved $($amountResults.count) Activity logs for $formattedDate. Moving on!" -Color "Green"
-						Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Select-Object @{N='EventTimestamp';E={$_.EventTimestamp.ToString()}},EventName,EventDataId,TenantId,CorrelationId,SubStatus,SubscriptionId,@{N='SubmissionTimestamp';E={$_.SubmissionTimestamp.ToString()}},Status,ResourceType,ResourceProviderName,ResourceId,ResourceGroupName,OperationName,OperationId,Level,Id,Description,Category,Caller,Authorization,Claims,HttpRequest,Properties | ConvertTo-Json -Depth 100	| Out-File -FilePath $filePath -Append -Encoding $Encoding
+						Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Select-Object @{N='EventTimestamp';E={$_.EventTimestamp.ToString()}},EventName,EventDataId,TenantId,CorrelationId,SubStatus,SubscriptionId,@{N='SubmissionTimestamp';E={$_.SubmissionTimestamp.ToString()}},Status,ResourceType,ResourceProviderName,ResourceId,ResourceGroupName,OperationName,OperationId,Level,Id,Description,Category,Caller,Authorization,Claims,HttpRequest,Properties | ConvertTo-Json -Depth 100| Out-File -FilePath $filePath -Append -Encoding $Encoding
 					}					
 				}
 

diff --git a/Scripts/Get-MFAStatus.ps1 b/Scripts/Get-MFAStatus.ps1
@@ -227,6 +227,7 @@ function Get-MFA {
             UserPreferredMethodForSecondaryAuthentication       = "-"
             UserPrincipalName                                   = "-"
             UserType                                            = "-"
+            LastUpdatedDateTime                                 = "-"
             AdditionalProperties                                = "-"
         }
 
@@ -245,6 +246,7 @@ function Get-MFA {
         $myobject.UserPreferredMethodForSecondaryAuthentication = $_.UserPreferredMethodForSecondaryAuthentication
         $myobject.UserPrincipalName = $_.UserPrincipalName
         $myobject.UserType = $_.UserType
+        $myobject.LastUpdatedDateTime = $_.LastUpdatedDateTime
         $myobject.AdditionalProperties = $_.AdditionalProperties | out-string
         $results+= $myObject;
     }

diff --git a/Scripts/Get-OAuthPermissions.ps1 b/Scripts/Get-OAuthPermissions.ps1
@@ -58,7 +58,7 @@ function Get-OAuthPermissions
 <#
 .SYNOPSIS
 Lists delegated permissions (OAuth2PermissionGrants) and application permissions (AppRoleAssignments).
-Script made by: https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
+Script inspired by: https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
 
 .DESCRIPTION
 Script to list all delegated permissions and application permissions in Azure AD

diff --git a/Scripts/Get-UAL.ps1 b/Scripts/Get-UAL.ps1
@@ -36,7 +36,6 @@ function Get-UALAll
 
  	.PARAMETER MergeOutput
     MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file
-    Default: No
 
 	.PARAMETER Encoding
     Encoding is the parameter specifying the encoding of the CSV/JSON output file.
@@ -283,7 +282,6 @@ function Get-UALGroup
  
  	.PARAMETER MergeOutput
     MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file
-    Default: No
     
 	.PARAMETER Encoding
     Encoding is the parameter specifying the encoding of the CSV/JSON output file.
@@ -321,7 +319,7 @@ function Get-UALGroup
 		[string]$Interval,
 		[string]$Group,
 		[string]$Output,
-  		[string]$MergeOutput,
+  		[switch]$MergeOutput,
 		[string]$OutputDir,
 		[string]$Encoding
 	)
@@ -569,7 +567,6 @@ function Get-UALSpecific
 
   	.PARAMETER MergeOutput
     MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file
-    Default: No
 
 	.EXAMPLE
 	Get-UALSpecific -RecordType ExchangeItem
@@ -603,7 +600,7 @@ function Get-UALSpecific
 		[string]$Interval,
 		[Parameter(Mandatory=$true)]$RecordType,
 		[string]$Output,
-  		[string]$MergeOutput,
+  		[switch]$MergeOutput,
   		[string]$OutputDir,
 		[string]$Encoding
 	)

diff --git a/Scripts/Get-UALStatistics.ps1 b/Scripts/Get-UALStatistics.ps1
@@ -89,7 +89,7 @@ function Get-UALStatistics
 		$specificResult = Search-UnifiedAuditLog -Userids $UserIds -StartDate $script:StartDate -EndDate $script:EndDate -RecordType $record -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount
 		if ($specificResult) {
 			Write-LogFile -Message "$($record):$($specificResult)"
-			Write-Output "$record,$number" | Out-File $outputDirectory -Append
+			Write-Output "$record,$specificResult" | Out-File $outputDirectory -Append
 		}
 		else {
 		}

diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -6,8 +6,8 @@
 copyright = 'Copyright (c) 2024 Invictus Incident Response'
 author = 'Joey Rentenaar & Korstiaan Stam'
 
-release = '1.3.3'
-version = '1.3.3'
+release = '1.3.4'
+version = '1.3.4'
 
 # -- General configuration
 

diff --git a/docs/source/functionality/UnifiedAuditLog.rst b/docs/source/functionality/UnifiedAuditLog.rst
@@ -115,7 +115,6 @@ Parameters
 
 -MergeOutput (optional)
     - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
-    - Default: No
 
 -OutputDir (optional)
     - OutputDir is the parameter specifying the output directory.
@@ -271,7 +270,6 @@ Parameters
 
 -MergeOutput (optional)
     - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
-    - Default: No
 
 -OutputDir (optional)
     - OutputDir is the parameter specifying the output directory.
@@ -351,7 +349,6 @@ Parameters
 
 -MergeOutput (optional)
     - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
-    - Default: No
 
 -OutputDir (optional)
     - OutputDir is the parameter specifying the output directory.
-Original file line number
+Diff line change
@@ Expand Up / @@ -221,7 +221,7 @@ function Get-ActivityLogs { @@
     					else {
     						Write-LogFile -Message "[INFO] Successfully retrieved $($amountResults.count) Activity logs for $formattedDate. Moving on!" -Color "Green"
-    						Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Select-Object @{N='EventTimestamp';E={$_.EventTimestamp.ToString()}},EventName,EventDataId,TenantId,CorrelationId,SubStatus,SubscriptionId,@{N='SubmissionTimestamp';E={$_.SubmissionTimestamp.ToString()}},Status,ResourceType,ResourceProviderName,ResourceId,ResourceGroupName,OperationName,OperationId,Level,Id,Description,Category,Caller,Authorization,Claims,HttpRequest,Properties | ConvertTo-Json -Depth 100	| Out-File -FilePath $filePath -Append -Encoding $Encoding
+    						Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Select-Object @{N='EventTimestamp';E={$_.EventTimestamp.ToString()}},EventName,EventDataId,TenantId,CorrelationId,SubStatus,SubscriptionId,@{N='SubmissionTimestamp';E={$_.SubmissionTimestamp.ToString()}},Status,ResourceType,ResourceProviderName,ResourceId,ResourceGroupName,OperationName,OperationId,Level,Id,Description,Category,Caller,Authorization,Claims,HttpRequest,Properties | ConvertTo-Json -Depth 100| Out-File -FilePath $filePath -Append -Encoding $Encoding
     					}
     				}
@@ Expand Down @@