diff --git a/Microsoft-Extractor-Suite.psd1 b/Microsoft-Extractor-Suite.psd1 index ced291b..85b2751 100644 --- a/Microsoft-Extractor-Suite.psd1 +++ b/Microsoft-Extractor-Suite.psd1 @@ -8,7 +8,7 @@ Author = 'Joey Rentenaar & Korstiaan Stam' CompanyName = 'Invictus-IR' # Version number of this module. -ModuleVersion = '1.3.3' +ModuleVersion = '1.3.4' # ID used to uniquely identify this module GUID = '4376306b-0078-4b4d-b565-e22804e3be01' diff --git a/Microsoft-Extractor-Suite.psm1 b/Microsoft-Extractor-Suite.psm1 index f75b5e7..7a3be65 100644 --- a/Microsoft-Extractor-Suite.psm1 +++ b/Microsoft-Extractor-Suite.psm1 @@ -71,6 +71,10 @@ function EndDate $logFile = "Output\LogFile.txt" function Write-LogFile([String]$message,$color) { + $outputDir = "Output" + if (!(test-path $outputDir)) { + New-Item -ItemType Directory -Force -Name $Outputdir | Out-Null + } if ($color -eq "Yellow") { Write-host $message -ForegroundColor Yellow diff --git a/Scripts/Get-AzureADLogs.ps1 b/Scripts/Get-AzureADLogs.ps1 index ecfb3e9..37890a2 100644 --- a/Scripts/Get-AzureADLogs.ps1 +++ b/Scripts/Get-AzureADLogs.ps1 @@ -280,18 +280,12 @@ function Get-ADAuditLogs { if ($filter) { $filter = " and $filter" } - Get-AzureADAuditDirectoryLogs -All $true -Filter "initiatedBy/user/userPrincipalName eq '$Userids' $filter" | Select-Object Id,Category,CorrelationId,Result,ResultReason,ActivityDisplayName,@{N='ActivityDateTime';E={$_.ActivityDateTime.ToString()}},LoggedByService,OperationType,InitiatedBy,TargetResources,AdditionalDetails | - ForEach-Object { - $_ | ConvertTo-Json -Depth 100 - } | - Out-File -FilePath $filePath -Encoding $Encoding + $results = Get-AzureADAuditDirectoryLogs -All $true -Filter "initiatedBy/user/userPrincipalName eq '$Userids' $filter" + $results | ConvertTo-Json -Depth 100 | Out-File -Append $filePath -Encoding $Encoding } else { - Get-AzureADAuditDirectoryLogs -All $true -Filter $filter | Select-Object Id,Category,CorrelationId,Result,ResultReason,ActivityDisplayName,@{N='ActivityDateTime';E={$_.ActivityDateTime.ToString()}},LoggedByService,OperationType,InitiatedBy,TargetResources,AdditionalDetails | - ForEach-Object { - $_ | ConvertTo-Json -Depth 100 - } | - Out-File -FilePath $filePath -Encoding $Encoding + $results = Get-AzureADAuditDirectoryLogs -All $true -Filter $filter + $results | ConvertTo-Json -Depth 100 | Out-File -Append $filePath -Encoding $Encoding } Write-logFile -Message "[INFO] Directory audit logs written to $filePath" -Color "Green" } diff --git a/Scripts/Get-AzureActivityLogs.ps1 b/Scripts/Get-AzureActivityLogs.ps1 index 46a53e4..64a9e91 100644 --- a/Scripts/Get-AzureActivityLogs.ps1 +++ b/Scripts/Get-AzureActivityLogs.ps1 @@ -221,7 +221,7 @@ function Get-ActivityLogs { else { Write-LogFile -Message "[INFO] Successfully retrieved $($amountResults.count) Activity logs for $formattedDate. Moving on!" -Color "Green" - Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Select-Object @{N='EventTimestamp';E={$_.EventTimestamp.ToString()}},EventName,EventDataId,TenantId,CorrelationId,SubStatus,SubscriptionId,@{N='SubmissionTimestamp';E={$_.SubmissionTimestamp.ToString()}},Status,ResourceType,ResourceProviderName,ResourceId,ResourceGroupName,OperationName,OperationId,Level,Id,Description,Category,Caller,Authorization,Claims,HttpRequest,Properties | ConvertTo-Json -Depth 100 | Out-File -FilePath $filePath -Append -Encoding $Encoding + Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Select-Object @{N='EventTimestamp';E={$_.EventTimestamp.ToString()}},EventName,EventDataId,TenantId,CorrelationId,SubStatus,SubscriptionId,@{N='SubmissionTimestamp';E={$_.SubmissionTimestamp.ToString()}},Status,ResourceType,ResourceProviderName,ResourceId,ResourceGroupName,OperationName,OperationId,Level,Id,Description,Category,Caller,Authorization,Claims,HttpRequest,Properties | ConvertTo-Json -Depth 100| Out-File -FilePath $filePath -Append -Encoding $Encoding } } diff --git a/Scripts/Get-MFAStatus.ps1 b/Scripts/Get-MFAStatus.ps1 index 64ce043..867b8b3 100644 --- a/Scripts/Get-MFAStatus.ps1 +++ b/Scripts/Get-MFAStatus.ps1 @@ -227,6 +227,7 @@ function Get-MFA { UserPreferredMethodForSecondaryAuthentication = "-" UserPrincipalName = "-" UserType = "-" + LastUpdatedDateTime = "-" AdditionalProperties = "-" } @@ -245,6 +246,7 @@ function Get-MFA { $myobject.UserPreferredMethodForSecondaryAuthentication = $_.UserPreferredMethodForSecondaryAuthentication $myobject.UserPrincipalName = $_.UserPrincipalName $myobject.UserType = $_.UserType + $myobject.LastUpdatedDateTime = $_.LastUpdatedDateTime $myobject.AdditionalProperties = $_.AdditionalProperties | out-string $results+= $myObject; } diff --git a/Scripts/Get-OAuthPermissions.ps1 b/Scripts/Get-OAuthPermissions.ps1 index 8ef30f7..3cf45b3 100644 --- a/Scripts/Get-OAuthPermissions.ps1 +++ b/Scripts/Get-OAuthPermissions.ps1 @@ -58,7 +58,7 @@ function Get-OAuthPermissions <# .SYNOPSIS Lists delegated permissions (OAuth2PermissionGrants) and application permissions (AppRoleAssignments). -Script made by: https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09 +Script inspired by: https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09 .DESCRIPTION Script to list all delegated permissions and application permissions in Azure AD diff --git a/Scripts/Get-UAL.ps1 b/Scripts/Get-UAL.ps1 index eb9aadd..cc55dd8 100644 --- a/Scripts/Get-UAL.ps1 +++ b/Scripts/Get-UAL.ps1 @@ -36,7 +36,6 @@ function Get-UALAll .PARAMETER MergeOutput MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file - Default: No .PARAMETER Encoding Encoding is the parameter specifying the encoding of the CSV/JSON output file. @@ -283,7 +282,6 @@ function Get-UALGroup .PARAMETER MergeOutput MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file - Default: No .PARAMETER Encoding Encoding is the parameter specifying the encoding of the CSV/JSON output file. @@ -321,7 +319,7 @@ function Get-UALGroup [string]$Interval, [string]$Group, [string]$Output, - [string]$MergeOutput, + [switch]$MergeOutput, [string]$OutputDir, [string]$Encoding ) @@ -569,7 +567,6 @@ function Get-UALSpecific .PARAMETER MergeOutput MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file - Default: No .EXAMPLE Get-UALSpecific -RecordType ExchangeItem @@ -603,7 +600,7 @@ function Get-UALSpecific [string]$Interval, [Parameter(Mandatory=$true)]$RecordType, [string]$Output, - [string]$MergeOutput, + [switch]$MergeOutput, [string]$OutputDir, [string]$Encoding ) diff --git a/Scripts/Get-UALStatistics.ps1 b/Scripts/Get-UALStatistics.ps1 index db7c40c..8687959 100644 --- a/Scripts/Get-UALStatistics.ps1 +++ b/Scripts/Get-UALStatistics.ps1 @@ -89,7 +89,7 @@ function Get-UALStatistics $specificResult = Search-UnifiedAuditLog -Userids $UserIds -StartDate $script:StartDate -EndDate $script:EndDate -RecordType $record -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount if ($specificResult) { Write-LogFile -Message "$($record):$($specificResult)" - Write-Output "$record,$number" | Out-File $outputDirectory -Append + Write-Output "$record,$specificResult" | Out-File $outputDirectory -Append } else { } diff --git a/docs/source/conf.py b/docs/source/conf.py index 417a793..1ba5390 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -6,8 +6,8 @@ copyright = 'Copyright (c) 2024 Invictus Incident Response' author = 'Joey Rentenaar & Korstiaan Stam' -release = '1.3.3' -version = '1.3.3' +release = '1.3.4' +version = '1.3.4' # -- General configuration diff --git a/docs/source/functionality/UnifiedAuditLog.rst b/docs/source/functionality/UnifiedAuditLog.rst index 1fee857..0f672ed 100644 --- a/docs/source/functionality/UnifiedAuditLog.rst +++ b/docs/source/functionality/UnifiedAuditLog.rst @@ -115,7 +115,6 @@ Parameters -MergeOutput (optional) - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file. - - Default: No -OutputDir (optional) - OutputDir is the parameter specifying the output directory. @@ -271,7 +270,6 @@ Parameters -MergeOutput (optional) - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file. - - Default: No -OutputDir (optional) - OutputDir is the parameter specifying the output directory. @@ -351,7 +349,6 @@ Parameters -MergeOutput (optional) - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file. - - Default: No -OutputDir (optional) - OutputDir is the parameter specifying the output directory.