From 9360cb72f187089cdc8b23b855c73ea5ff8a59a2 Mon Sep 17 00:00:00 2001
From: SOCFortress <95670863+socfortress@users.noreply.github.com>
Date: Mon, 8 Aug 2022 22:02:00 -0500
Subject: [PATCH] Create logonsessions.ps1

---
 Windows Logon Sessions/logonsessions.ps1 | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 Windows Logon Sessions/logonsessions.ps1

diff --git a/Windows Logon Sessions/logonsessions.ps1 b/Windows Logon Sessions/logonsessions.ps1
new file mode 100644
index 0000000..89c7c03
--- /dev/null
+++ b/Windows Logon Sessions/logonsessions.ps1	
@@ -0,0 +1,13 @@
+################################
+##########
+# Script execution triggered by Wazuh Manager, wodles-command
+# Output converted to JSON and appended to active-responses.log
+##########
+# RUN LOGONSESSIONS AND STORE CSV
+$Sessions_Output_CSV = c:\"Program Files"\Sysinternals\logonsessions.exe  -nobanner -c -p
+# REMOVE SPACES IN CSV HEADER AND CONVERT TO ARRAY
+$Sessions_Output_Array = $Sessions_Output_CSV.PSObject.BaseObject.Trim(' ') -Replace '\s','' | ConvertFrom-Csv
+# GO THRU THE ARRAY, CONVERT TO JSON AND APPEND TO active-responses.log
+Foreach ($item in $Sessions_Output_Array) {
+  echo  $item | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
+ }