Merge pull request #134 from dwhite9/mod-x-log

Update Syslog and Default logging scripts to detect IP address of host
redcanaryco · Jun 10, 2023 · c401108 · c401108
2 parents 540ba99 + 213b567
commit c401108
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/Public/Default-ExecutionLogger.psm1 b/Public/Default-ExecutionLogger.psm1
@@ -6,7 +6,18 @@ function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testNa
     if (!(Test-Path $logPath)) { 
         New-Item $logPath -Force -ItemType File | Out-Null
     } 
-
+    if ($isWindows){
+        $ipAddress = (Get-NetIPAddress | Where-Object { $_.PrefixOrigin -ne "WellKnown"}).IPAddress
+    }
+    elseif ($IsMacOS) {
+        $ipAddress = ifconfig -l | xargs -n1 ipconfig getifaddr
+    } 
+    elseif ($IsLinux) {
+        $ipAddress = ip -4 -br addr show |sed -n -e 's/^.*UP\s* //p'
+    }
+    else {
+        $ipAddress = ''
+    }
     $timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
     $timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
     $msg = [PSCustomObject][ordered]@{ 
@@ -16,6 +27,7 @@ function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testNa
         "Test Number"            = $testNum
         "Test Name"              = $testName
         "Hostname"               = $targetHostname
+        "IP Address"             = $ipAddress
         "Username"               = $targetUser
         "GUID"                   = $testGuid
         "ProcessId"              = $res.ProcessId

diff --git a/Public/Syslog-ExecutionLogger.psm1 b/Public/Syslog-ExecutionLogger.psm1
@@ -5,13 +5,27 @@ function Start-ExecutionLog($startTime, $logPath, $targetHostname, $targetUser,
 function Write-ExecutionLog($startTime, $stopTime, $technique, $testNum, $testName, $testGuid, $testExecutor, $testDescription, $command, $logPath, $targetHostname, $targetUser, $res, $isWindows) {
     $timeUTC = (Get-Date($startTime).toUniversalTime() -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
     $timeLocal = (Get-Date($startTime) -uformat "%Y-%m-%dT%H:%M:%SZ").ToString()
+    if ($isWindows){
+        $ipAddress = (Get-NetIPAddress | Where-Object { $_.PrefixOrigin -ne "WellKnown"}).IPAddress
+    }
+    elseif ($IsMacOS) {
+        $ipAddress = ifconfig -l | xargs -n1 ipconfig getifaddr
+    } 
+    elseif ($IsLinux) {
+        $ipAddress = ip -4 -br addr show |sed -n -e 's/^.*UP\s* //p'
+    }
+    else {
+        $ipAddress = ''
+    }
+
     $msg = [PSCustomObject][ordered]@{ 
         "Execution Time (UTC)"   = $timeUTC
         "Execution Time (Local)" = $timeLocal 
         "Technique"              = $technique
         "Test Number"            = $testNum
         "Test Name"              = $testName
         "Hostname"               = $targetHostname
+        "IP Address"             = $ipAddress
         "Username"               = $targetUser
         "GUID"                   = $testGuid
         "Tag"                    = "atomicrunner"