private IEnumerable <Dictionary <string, string> > FilterGroupsByUser(string userName, IEnumerable <Dictionary <string, string> > groups)
{
string netUserProps = _processUtil.ExecuteWindowsCommand($"net user {userName}");
string spaceDelimitedGroups = Regex.Match(netUserProps, @"(?<=Local Group Memberships\s+)[^\n]+").Value;
IEnumerable <string> groupStrings = Regex.Split(spaceDelimitedGroups, @"\s+").Select(group => group.Trim('*'));
return(groups.Where(group => groupStrings.Contains(group[NameKey])));
}
/// <inheritdoc />
public ETWEventGeneratorBase(IProcessUtil processUtil, IWmiUtils wmiUtils)
{
_wmiUtils = wmiUtils;
foreach (ETWEventType etwEvent in ETWEvents)
{
_lastRetrievedEventTimeStamps[etwEvent] = ManagementDateTimeConverter.ToDmtfDateTime(DateTime.Now);
}
foreach (string command in PrerequisiteCommands)
{
processUtil.ExecuteWindowsCommand(command);
}
}
/// <summary>
/// Read the netsat output
/// Create an event that conatins all the open ports in state LISTEN (UDP and TCP)
/// </summary>
/// <returns>List of open ports event</returns>
protected override List <IEvent> GetEventsImpl()
{
//Run netstat and parse the output
//We redirect stderr to /dev/null to avoid root requirements (sudo)
const string netstatCommand = "netstat -an";
string content = _processUtil.ExecuteWindowsCommand(netstatCommand);
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(content, LocalAddressColumnNumber, RemoteAddressColumnNumber);
SimpleLogger.Debug($"NetstatEventGenerator returns {payloads.Count} payloads");
var openPorts = new ListeningPorts(Priority, payloads.ToArray());
return(new List <IEvent>()
{
openPorts
});
}
