def getFalutHeapEvtx(type, compared, prototype, timeline=None):
items = []
head = None
if type in [CONSTANT.IE, CONSTANT.HWP]:
head = [CONSTANT.EVENTLOG_KEYWORD, 4]
elif type in [CONSTANT.OFFICE]:
head = [CONSTANT.EVENTLOG_KEYWORD, 3]
fullPath = CONSTANT.EVENTLOG + compared['channel']
checkedEID = compared['eid']
checkedProviders = compared['providerName']
with evtx.Evtx(fullPath) as log:
for event in log.records():
try:
systemTag = event.lxml()[0]
loggedTime = systemTag[7].get("SystemTime")
providerName = systemTag[0].get("Name")
eventID = systemTag[1].text
if not loggedTime: continue
if int(
eventID
) in checkedEID and providerName == checkedProviders[eventID]:
if timeline:
if datetime.datetime.strptime(
loggedTime, "%Y-%m-%d %H:%M:%S.%f") < timeline:
logging.info(
"[Exception] EID - {}, {} was skipped, it's more older timeline"
.format(eventID, providerName))
continue
if systemTag[3].text == '1':
level = 'Fatal'
elif systemTag[3].text == '2':
level = 'Error'
elif systemTag[3].text == '3':
level = 'Warning'
elif systemTag[3].text == '4':
level = 'Information'
eventDataTag = event.lxml()[1]
etc = eventDataTag.get("Name")
items.append([
head, loggedTime, providerName, eventID, level, etc,
event.xml()
])
except Exception as e:
if int(eventID) in checkedEID:
logging.info(
'[Error] EID - {} in "Fault-Tolerant-Heap/Operational.evtx": {}'
.format(eventID, e))
prototype += items
def run(self):
evtx_name = 'Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx'
if self.env[1]:
if not os.path.exists(self.env[4][1]):
return
full_path = self.env[4][1] + evtx_name
else:
full_path = CONSTANT.EVENTLOG + evtx_name
copy(full_path, self.env[4][1], 'Not copied "{}"'.format(evtx_name))
items = []
head = [CONSTANT.EVENTLOG_KEYWORD, True, 5, 0, 0, 4, 4, 4]
checked_id = [1001]
checkedProviders = {
'1001': 'Microsoft-Windows-Fault-Tolerant-Heap',
}
import libs.ParseEvtx.Evtx as evtx
with evtx.Evtx(full_path) as log:
for event in log.records():
try:
system_tag = event.lxml()[0]
logged_time = system_tag[7].get("SystemTime")
provider_name = system_tag[0].get("Name")
event_id = system_tag[1].text
if not logged_time: continue
if int(event_id) in checked_id and provider_name == checkedProviders[event_id]:
# if self.timeline:
# if datetime.datetime.strptime(logged_time, "%Y-%m-%d %H:%M:%S.%f") < self.timeline:
# logging.info("[Exception] EID - {}, {} was skipped, it's more older timeline".format(event_id, provider_name))
# continue
if system_tag[3].text == '1':
level = 'Fatal'
elif system_tag[3].text == '2':
level = 'Error'
elif system_tag[3].text == '3':
level = 'Warning'
elif system_tag[3].text == '4':
level = 'Information'
data_tag = event.lxml()[1]
etc = data_tag.get("Name")
items.append([head, logged_time, provider_name, event_id, level, etc, event.xml()])
except Exception as e:
if int(event_id) in checked_id:
logging.info('[Error] EID - {} in "{}": {}'.format(event_id, evtx_name, e))
self.artifacts_list += items
self.completed.emit()
def getOAlertsEvtx(compared, prototype, timeline=None):
items = []
yellowHead = [CONSTANT.EVENTLOG_KEYWORD, 3]
fullPath = CONSTANT.EVENTLOG + compared['channel']
checkedEID = compared['eid']
with evtx.Evtx(fullPath) as log:
for event in log.records():
try:
systemTag = event.lxml()[0]
loggedTime = systemTag[5].get("SystemTime")
providerName = systemTag[0].get("Name")
eventID = systemTag[1].text
if not loggedTime: continue
if int(eventID) in checkedEID:
if timeline:
if datetime.datetime.strptime(
loggedTime, "%Y-%m-%d %H:%M:%S.%f") < timeline:
logging.info(
"[Exception] EID - {}, {} was skipped, it's more older timeline"
.format(eventID, providerName))
continue
if systemTag[2].text == '1':
level = 'Fatal'
elif systemTag[2].text == '2':
level = 'Error'
elif systemTag[2].text == '3':
level = 'Warning'
elif systemTag[2].text == '4':
level = 'Information'
eventDataTag = event.lxml()[1]
etc = eventDataTag[0].text
items.append([
yellowHead, loggedTime, providerName, eventID, level,
etc,
event.xml()
])
except Exception as e:
if int(eventID) in checkedEID:
logging.info(
'[Error] EID - {} in "OAlerts.evtx": {}'.format(
eventID, e))
prototype += items
def getApplicationEvtx(type, compared, prototype, checkedSW, timeline=None):
items = []
wer_info = []
origin = checkedSW[0]
head1000 = head1001 = None
if type in [CONSTANT.IE]:
head1000 = head1001 = [CONSTANT.EVENTLOG_KEYWORD, 2]
elif type in [CONSTANT.EDGE]:
head1000 = [CONSTANT.EVENTLOG_KEYWORD, 2]
head1001 = [CONSTANT.EVENTLOG_KEYWORD, 5]
elif type in [CONSTANT.OFFICE]:
head1000 = head1001 = [CONSTANT.EVENTLOG_KEYWORD, 3]
elif type in [CONSTANT.HWP]:
head1000 = head1001 = [CONSTANT.EVENTLOG_KEYWORD, 6]
fullPath = CONSTANT.EVENTLOG + compared['channel']
checkedEID = compared['eid']
checkedProviders = compared['providerName']
with evtx.Evtx(fullPath) as log:
for event in log.records():
try:
systemTag = event.lxml()[0]
loggedTime = systemTag[5].get("SystemTime")
providerName = systemTag[0].get("Name")
eventID = systemTag[1].text
if not loggedTime: continue
if int(
eventID
) in checkedEID and providerName == checkedProviders[eventID]:
if timeline:
if datetime.datetime.strptime(
loggedTime, "%Y-%m-%d %H:%M:%S.%f") < timeline:
logging.info(
"[Exception] EID - {}, {} was skipped, it's more older timeline"
.format(eventID, providerName))
continue
if systemTag[2].text == '4':
level = 'Information'
elif systemTag[2].text == '3':
level = 'Warning'
elif systemTag[2].text == '2':
level = 'Error'
elif systemTag[2].text == '1':
level = 'Fatal'
etc = ''
eventDataTag = event.lxml()[1]
if int(eventID) == 1000:
if eventDataTag[0].text.upper() not in origin: continue
etc = eventDataTag[
0].text # idx - 0 (SW), 3 (Module), 6 (Exception Code)
items.append([
head1000, loggedTime, providerName, eventID, level,
etc,
event.xml()
])
elif int(eventID) == 1001:
appcrashList = checkedSW[0] + checkedSW[1]
if eventDataTag[2].text != 'APPCRASH' or eventDataTag[
5].text.upper() not in appcrashList:
continue
etc = eventDataTag[
5].text # idx - 5 (SW), 8 (Module), 11 (Exception Code), 16 (PATH)
wer_info.append([
eventDataTag[16].text, eventDataTag[8].text,
eventDataTag[11].text
])
items.append([
head1001, loggedTime, providerName, eventID, level,
etc,
event.xml()
])
except Exception as e:
if int(eventID) in checkedEID:
logging.info(
'[Error] EID - {} in "Application.evtx": {}'.format(
eventID, e))
if wer_info:
type = CONSTANT.IE if not checkedSW[1] else CONSTANT.OFFICE
getReportWER(wer_info, items, type)
prototype += items
def run(self):
evtx_name = 'Application.evtx'
if self.env[1]:
if not os.path.exists(self.env[4][1]):
return
full_path = self.env[4][1] + evtx_name
else:
full_path = CONSTANT.EVENTLOG + evtx_name
copy(full_path, self.env[4][1], 'Not copied "{}"'.format(evtx_name))
items = []
wer_list = []
checked_sw = [
"ACRORD32.EXE",
'',
["MICROSOFTEDGE.EXE", "MICROSOFTEDGEBCHOST.EXE", "MICROSOFTEDGECP.EXE"],
["HWP.EXE", "GBB.EXE", "GSWIN32C.EXE"],
"IEXPLORE.EXE",
["WINWORD.EXE", "POWERPNT.EXE", "EXCEL.EXE", "WMIPRVSE.EXE", "EQNEDT32.EXE", "DW20.EXE", "DWWIN.EXE", "FLTLDR.EXE"],
]
color_number = [(3, 5), (0, 0), (2, 4), (5, 5), (2, 4), (5, 5)]
checked = {
'1000': 'Application Error',
'1001': 'Windows Error Reporting',
}
import libs.ParseEvtx.Evtx as evtx
with evtx.Evtx(full_path) as log:
for event in log.records():
try:
system_tag = event.lxml()[0]
logged_time = system_tag[5].get("SystemTime")
provider_name = system_tag[0].get("Name")
event_id = system_tag[1].text
if not logged_time: continue
checked_id = list(checked.keys())
if event_id in checked_id and provider_name == checked[event_id]:
# if self.timeline:
# if datetime.datetime.strptime(logged_time, "%Y-%m-%d %H:%M:%S.%f") < self.timeline:
# logging.info("[Exception] EID - {}, {} was skipped, it's more older timeline".format(event_id, provider_name))
# continue
if system_tag[2].text == '4':
level = 'Information'
elif system_tag[2].text == '3':
level = 'Warning'
elif system_tag[2].text == '2':
level = 'Error'
elif system_tag[2].text == '1':
level = 'Fatal'
if event_id == checked_id[0]:
data_tag = event.lxml()[1]
etc = data_tag[0].text # idx - 0 (SW), 3 (Module), 6 (Exception Code)
swNum = 0
for sw in checked_sw:
if etc.upper() in sw:
swNum = checked_sw.index(sw) + 1
colorNum = color_number[swNum-1][0]
break
if not swNum: continue
items.append([
[CONSTANT.EVENTLOG_KEYWORD, False, swNum, colorNum],
logged_time, provider_name, event_id, level, etc, event.xml()
])
elif event_id == checked_id[1]:
data_tag = event.lxml()[1]
etc = data_tag[5].text # idx - 5 (SW), 8 (Module), 11 (Exception Code), 16 (PATH)
swNum = 0
for sw in checked_sw:
if etc.upper() in sw:
swNum = checked_sw.index(sw) + 1
colorNum = color_number[swNum-1][1]
break
if not swNum: continue
if data_tag[16].text:
wer_list.append([data_tag[16].text, data_tag[8].text, data_tag[11].text, swNum])
items.append([
[CONSTANT.EVENTLOG_KEYWORD, False, swNum, colorNum],
logged_time, provider_name, event_id, level, etc, event.xml()])
except Exception as e:
if event_id in checked_id:
logging.info('[Error] EID - {} in "{}": {}'.format(event_id, evtx_name, e))
if wer_list:
self.getReportWER(wer_list)
self.artifacts_list += items
self.completed.emit()