Skip to content

Commit

Permalink
Merge branch 'Dev'
Browse files Browse the repository at this point in the history
  • Loading branch information
JoeyInvictus committed Jun 26, 2024
2 parents df3550c + ae533f3 commit 691d8bf
Show file tree
Hide file tree
Showing 33 changed files with 1,237 additions and 1,741 deletions.
10 changes: 7 additions & 3 deletions Microsoft-Extractor-Suite.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ Author = 'Joey Rentenaar & Korstiaan Stam'
CompanyName = 'Invictus-IR'

# Version number of this module.
ModuleVersion = '1.3.5'
ModuleVersion = '2.0.0'

# ID used to uniquely identify this module
GUID = '4376306b-0078-4b4d-b565-e22804e3be01'

# Copyright statement for this module
Copyright = 'Copyright (c) 2024 Invictus Incident Response'
Copyright = 'Copyright 2024 Invictus Incident Response'

# Description of the functionality provided by this module
Description = 'Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.'
Expand All @@ -38,6 +38,7 @@ NestedModules = @(
".\Scripts\Get-Emails.ps1"
".\Scripts\Get-MailItemsAccessed.ps1"
".\Scripts\Get-UALGraph.ps1"
".\Scripts\Get-AzureDirectoryActivityLogs.ps1"
)

FunctionsToExport = @(
Expand Down Expand Up @@ -83,6 +84,9 @@ FunctionsToExport = @(
# Get-AzureActivityLogs.ps1
"Get-ActivityLogs"

# Get-AzureDirectoryActivityLogs.ps1
"Get-DirectoryActivityLogs"

# Get-AzureADGraphLogs.ps1
"Get-ADSignInLogsGraph"
"Get-ADAuditLogsGraph"
Expand Down Expand Up @@ -113,7 +117,7 @@ FunctionsToExport = @(

# Variables to export from this module
VariablesToExport = @(
'$outputdir',
'$outputdir',
'$curDir',
'$logFile',
'$retryCount'
Expand Down
86 changes: 61 additions & 25 deletions Microsoft-Extractor-Suite.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,21 @@

$manifest = Import-PowerShellDataFile "$PSScriptRoot\Microsoft-Extractor-Suite.psd1"
$version = $manifest.ModuleVersion
$host.ui.RawUI.WindowTitle="Microsoft-Extractor-Suite $version"
$host.ui.RawUI.WindowTitle = "Microsoft-Extractor-Suite $version"

$logo=@"
+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+
|M|i|c|r|o|s|o|f|t| |E|x|t|r|a|c|t|o|r| |S|u|i|t|e|
+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+
Copyright (c) 2024 Invictus Incident Response
Copyright 2024 Invictus Incident Response
Created by Joey Rentenaar & Korstiaan Stam
"@

Write-Host $logo -ForegroundColor Yellow

$outputDir = "Output"
if (!(test-path $outputDir)) {
New-Item -ItemType Directory -Force -Name $Outputdir | Out-Null
New-Item -ItemType Directory -Force -Name $Outputdir > $null
}

$retryCount = 0
Expand Down Expand Up @@ -73,31 +72,25 @@ function Write-LogFile([String]$message,$color)
{
$outputDir = "Output"
if (!(test-path $outputDir)) {
New-Item -ItemType Directory -Force -Name $Outputdir | Out-Null
}
if ($color -eq "Yellow")
{
Write-host $message -ForegroundColor Yellow
}
elseif ($color -eq "Red")
{
Write-host $message -ForegroundColor Red
New-Item -ItemType Directory -Force -Name $Outputdir > $null
}
elseif ($color -eq "Green")
{
Write-host $message -ForegroundColor Green
}
else {
Write-host $message
}

$logToWrite = [DateTime]::Now.ToString() + ": " + $message
$logToWrite | Out-File $LogFile -Append

switch ($color) {
"Yellow" { [Console]::ForegroundColor = [ConsoleColor]::Yellow }
"Red" { [Console]::ForegroundColor = [ConsoleColor]::Red }
"Green" { [Console]::ForegroundColor = [ConsoleColor]::Green }
default { [Console]::ResetColor() }
}

[Console]::WriteLine($message)
[Console]::ResetColor()
$logToWrite = [DateTime]::Now.ToString() + ": " + $message
$logToWrite | Out-File -FilePath $LogFile -Append
}

function versionCheck{
$moduleName = "Microsoft-Extractor-Suite"
$currentVersionString = $version
$currentVersionString = $version

$currentVersion = [Version]$currentVersionString
$latestVersionString = (Find-Module -Name $moduleName).Version.ToString()
Expand All @@ -111,4 +104,47 @@ function versionCheck{
}
}

versionCheck
function Get-GraphAuthType {
$authContext = Get-MgContext | Select-Object -ExpandProperty AuthType
switch ($authContext) {
"AppOnly" { return "application" }
"Delegated" { return "delegated" }
}
}

function Merge-OutputFiles {
param (
[Parameter(Mandatory)][string]$OutputDir,
[Parameter(Mandatory)][string]$OutputType,
[string]$MergedFileName
)

$outputDirMerged = Join-Path -Path $OutputDir -ChildPath "Merged"
If (!(Test-Path $outputDirMerged)) {
Write-LogFile -Message "[INFO] Creating the following directory: $outputDirMerged"
New-Item -ItemType Directory -Force -Path $outputDirMerged > $null
}

$mergedPath = Join-Path -Path $outputDirMerged -ChildPath $MergedFileName

switch ($OutputType) {
'CSV' {
Get-ChildItem $OutputDir -Filter *.csv | Select-Object -ExpandProperty FullName | Import-Csv | Export-Csv $mergedPath -NoTypeInformation -Append -Encoding UTF8
Write-LogFile -Message "[INFO] CSV files merged into $mergedPath"
}
'JSON' {
$allJsonObjects = Get-ChildItem $OutputDir -Filter *.json | ForEach-Object {
Get-Content -Path $_.FullName -Raw | ConvertFrom-Json
}
$allJsonObjects | ConvertTo-Json -Depth 100 | Set-Content $mergedPath
Write-Host "[INFO] JSON files merged into $mergedPath"
}
default {
Write-LogFile -Message "[ERROR] Unsupported file type specified: $OutputType" -Color Red
}
}
}

versionCheck

Export-ModuleMember -Function * -Alias * -Variable * -Cmdlet *
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
![alt text](https://github.com/invictus-ir/Microsoft-Extractor-Suite/blob/main/docs/source/Images/Invictus-Incident-Response.jpg?raw=true)

![Language](https://img.shields.io/badge/Language-Powershell-blue)
[![Documentation](https://img.shields.io/badge/Read%20the%20Docs-Documentation-blue)](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)
[![Latest Version](https://img.shields.io/powershellgallery/v/Microsoft-Extractor-Suite?label=Latest%20Version&color=brightgreen)](https://www.powershellgallery.com/packages/Microsoft-Extractor-Suite)
Expand All @@ -24,6 +23,8 @@ The following Microsoft data sources are supported:
* Message Trace Logs
* Azure AD Sign-In Logs
* Azure AD Audit Logs
* Azure Activity Logs
* Azure Directory Activity Logs

In addition to the log sources above the tool is also able to retrieve other relevant information:
* Registered OAuth applications in Azure AD
Expand All @@ -33,7 +34,7 @@ In addition to the log sources above the tool is also able to retrieve other rel
* The risky detections
* The conditional access policies
* Administrator directory roles and their users
* A specific e-mail or attachment
* A specific or list of e-mail(s) or attachment(s)

Microsoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the [Invictus IR](https://www.invictus-ir.com/) team.

Expand Down
7 changes: 4 additions & 3 deletions Scripts/Connect.ps1
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
Function Connect-M365
{
versionCheck
Connect-ExchangeOnline -Showbanner:$false -ShowProgress:$true
Connect-ExchangeOnline > $null
}

Function Connect-Azure
{
versionCheck
Connect-AzureAD | Out-Null
Connect-AzureAD > $null
}

Function Connect-AzureAZ
{
versionCheck
Connect-AzAccount | Out-Null
Connect-AzAccount > $null
}

31 changes: 14 additions & 17 deletions Scripts/Get-AdminAuditLog.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -31,28 +31,18 @@ function Get-AdminAuditLog {
param (
[string]$StartDate,
[string]$EndDate,
[string]$outputDir
[string]$outputDir = "Output\AdminAuditLog"
)

try {
$areYouConnected = Get-AdminAuditLogConfig -ErrorAction stop
}
catch {
write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red"
break
}

write-logFile -Message "[INFO] Running Get-AdminAuditLog" -Color "Green"

$date = [datetime]::Now.ToString('yyyyMMddHHmmss')
$outputFile = "$($date)-AdminAuditLog.csv"

if ($OutputDir -eq "" ){
$OutputDir = "Output\AdminAuditLog"
if (!(test-path $OutputDir)) {
New-Item -ItemType Directory -Force -Name $outputDir | Out-Null
write-LogFile -Message "[INFO] Creating the following directory: $outputDir"
}

if (!(test-path $OutputDir)) {
New-Item -ItemType Directory -Force -Name $outputDir | Out-Null
write-LogFile -Message "[INFO] Creating the following directory: $outputDir"
}

else {
Expand All @@ -73,8 +63,15 @@ function Get-AdminAuditLog {

Write-LogFile -Message "[INFO] Extracting all available Admin Audit Logs between $($script:StartDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssK")) and $($script:EndDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssK"))" -Color "Green"

$results = Search-AdminAuditLog -ResultSize 250000 -StartDate $script:startDate -EndDate $script:EndDate
$results | Export-Csv $outputDirectory -NoTypeInformation -Append -Encoding UTF8
try {
$results = Search-AdminAuditLog -ResultSize 250000 -StartDate $script:startDate -EndDate $script:EndDate
$results | Export-Csv $outputDirectory -NoTypeInformation -Append -Encoding UTF8
}
catch {
write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow"
Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red"
break
}

write-logFile -Message "[INFO] Output is written to: $outputDirectory" -Color "Green"
}
Loading

0 comments on commit 691d8bf

Please sign in to comment.