def getFalutHeapEvtx(type, compared, prototype, timeline=None): items = [] head = None if type in [CONSTANT.IE, CONSTANT.HWP]: head = [CONSTANT.EVENTLOG_KEYWORD, 4] elif type in [CONSTANT.OFFICE]: head = [CONSTANT.EVENTLOG_KEYWORD, 3] fullPath = CONSTANT.EVENTLOG + compared['channel'] checkedEID = compared['eid'] checkedProviders = compared['providerName'] with evtx.Evtx(fullPath) as log: for event in log.records(): try: systemTag = event.lxml()[0] loggedTime = systemTag[7].get("SystemTime") providerName = systemTag[0].get("Name") eventID = systemTag[1].text if not loggedTime: continue if int( eventID ) in checkedEID and providerName == checkedProviders[eventID]: if timeline: if datetime.datetime.strptime( loggedTime, "%Y-%m-%d %H:%M:%S.%f") < timeline: logging.info( "[Exception] EID - {}, {} was skipped, it's more older timeline" .format(eventID, providerName)) continue if systemTag[3].text == '1': level = 'Fatal' elif systemTag[3].text == '2': level = 'Error' elif systemTag[3].text == '3': level = 'Warning' elif systemTag[3].text == '4': level = 'Information' eventDataTag = event.lxml()[1] etc = eventDataTag.get("Name") items.append([ head, loggedTime, providerName, eventID, level, etc, event.xml() ]) except Exception as e: if int(eventID) in checkedEID: logging.info( '[Error] EID - {} in "Fault-Tolerant-Heap/Operational.evtx": {}' .format(eventID, e)) prototype += items
def run(self): evtx_name = 'Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx' if self.env[1]: if not os.path.exists(self.env[4][1]): return full_path = self.env[4][1] + evtx_name else: full_path = CONSTANT.EVENTLOG + evtx_name copy(full_path, self.env[4][1], 'Not copied "{}"'.format(evtx_name)) items = [] head = [CONSTANT.EVENTLOG_KEYWORD, True, 5, 0, 0, 4, 4, 4] checked_id = [1001] checkedProviders = { '1001': 'Microsoft-Windows-Fault-Tolerant-Heap', } import libs.ParseEvtx.Evtx as evtx with evtx.Evtx(full_path) as log: for event in log.records(): try: system_tag = event.lxml()[0] logged_time = system_tag[7].get("SystemTime") provider_name = system_tag[0].get("Name") event_id = system_tag[1].text if not logged_time: continue if int(event_id) in checked_id and provider_name == checkedProviders[event_id]: # if self.timeline: # if datetime.datetime.strptime(logged_time, "%Y-%m-%d %H:%M:%S.%f") < self.timeline: # logging.info("[Exception] EID - {}, {} was skipped, it's more older timeline".format(event_id, provider_name)) # continue if system_tag[3].text == '1': level = 'Fatal' elif system_tag[3].text == '2': level = 'Error' elif system_tag[3].text == '3': level = 'Warning' elif system_tag[3].text == '4': level = 'Information' data_tag = event.lxml()[1] etc = data_tag.get("Name") items.append([head, logged_time, provider_name, event_id, level, etc, event.xml()]) except Exception as e: if int(event_id) in checked_id: logging.info('[Error] EID - {} in "{}": {}'.format(event_id, evtx_name, e)) self.artifacts_list += items self.completed.emit()
def getOAlertsEvtx(compared, prototype, timeline=None): items = [] yellowHead = [CONSTANT.EVENTLOG_KEYWORD, 3] fullPath = CONSTANT.EVENTLOG + compared['channel'] checkedEID = compared['eid'] with evtx.Evtx(fullPath) as log: for event in log.records(): try: systemTag = event.lxml()[0] loggedTime = systemTag[5].get("SystemTime") providerName = systemTag[0].get("Name") eventID = systemTag[1].text if not loggedTime: continue if int(eventID) in checkedEID: if timeline: if datetime.datetime.strptime( loggedTime, "%Y-%m-%d %H:%M:%S.%f") < timeline: logging.info( "[Exception] EID - {}, {} was skipped, it's more older timeline" .format(eventID, providerName)) continue if systemTag[2].text == '1': level = 'Fatal' elif systemTag[2].text == '2': level = 'Error' elif systemTag[2].text == '3': level = 'Warning' elif systemTag[2].text == '4': level = 'Information' eventDataTag = event.lxml()[1] etc = eventDataTag[0].text items.append([ yellowHead, loggedTime, providerName, eventID, level, etc, event.xml() ]) except Exception as e: if int(eventID) in checkedEID: logging.info( '[Error] EID - {} in "OAlerts.evtx": {}'.format( eventID, e)) prototype += items
def getApplicationEvtx(type, compared, prototype, checkedSW, timeline=None): items = [] wer_info = [] origin = checkedSW[0] head1000 = head1001 = None if type in [CONSTANT.IE]: head1000 = head1001 = [CONSTANT.EVENTLOG_KEYWORD, 2] elif type in [CONSTANT.EDGE]: head1000 = [CONSTANT.EVENTLOG_KEYWORD, 2] head1001 = [CONSTANT.EVENTLOG_KEYWORD, 5] elif type in [CONSTANT.OFFICE]: head1000 = head1001 = [CONSTANT.EVENTLOG_KEYWORD, 3] elif type in [CONSTANT.HWP]: head1000 = head1001 = [CONSTANT.EVENTLOG_KEYWORD, 6] fullPath = CONSTANT.EVENTLOG + compared['channel'] checkedEID = compared['eid'] checkedProviders = compared['providerName'] with evtx.Evtx(fullPath) as log: for event in log.records(): try: systemTag = event.lxml()[0] loggedTime = systemTag[5].get("SystemTime") providerName = systemTag[0].get("Name") eventID = systemTag[1].text if not loggedTime: continue if int( eventID ) in checkedEID and providerName == checkedProviders[eventID]: if timeline: if datetime.datetime.strptime( loggedTime, "%Y-%m-%d %H:%M:%S.%f") < timeline: logging.info( "[Exception] EID - {}, {} was skipped, it's more older timeline" .format(eventID, providerName)) continue if systemTag[2].text == '4': level = 'Information' elif systemTag[2].text == '3': level = 'Warning' elif systemTag[2].text == '2': level = 'Error' elif systemTag[2].text == '1': level = 'Fatal' etc = '' eventDataTag = event.lxml()[1] if int(eventID) == 1000: if eventDataTag[0].text.upper() not in origin: continue etc = eventDataTag[ 0].text # idx - 0 (SW), 3 (Module), 6 (Exception Code) items.append([ head1000, loggedTime, providerName, eventID, level, etc, event.xml() ]) elif int(eventID) == 1001: appcrashList = checkedSW[0] + checkedSW[1] if eventDataTag[2].text != 'APPCRASH' or eventDataTag[ 5].text.upper() not in appcrashList: continue etc = eventDataTag[ 5].text # idx - 5 (SW), 8 (Module), 11 (Exception Code), 16 (PATH) wer_info.append([ eventDataTag[16].text, eventDataTag[8].text, eventDataTag[11].text ]) items.append([ head1001, loggedTime, providerName, eventID, level, etc, event.xml() ]) except Exception as e: if int(eventID) in checkedEID: logging.info( '[Error] EID - {} in "Application.evtx": {}'.format( eventID, e)) if wer_info: type = CONSTANT.IE if not checkedSW[1] else CONSTANT.OFFICE getReportWER(wer_info, items, type) prototype += items
def run(self): evtx_name = 'Application.evtx' if self.env[1]: if not os.path.exists(self.env[4][1]): return full_path = self.env[4][1] + evtx_name else: full_path = CONSTANT.EVENTLOG + evtx_name copy(full_path, self.env[4][1], 'Not copied "{}"'.format(evtx_name)) items = [] wer_list = [] checked_sw = [ "ACRORD32.EXE", '', ["MICROSOFTEDGE.EXE", "MICROSOFTEDGEBCHOST.EXE", "MICROSOFTEDGECP.EXE"], ["HWP.EXE", "GBB.EXE", "GSWIN32C.EXE"], "IEXPLORE.EXE", ["WINWORD.EXE", "POWERPNT.EXE", "EXCEL.EXE", "WMIPRVSE.EXE", "EQNEDT32.EXE", "DW20.EXE", "DWWIN.EXE", "FLTLDR.EXE"], ] color_number = [(3, 5), (0, 0), (2, 4), (5, 5), (2, 4), (5, 5)] checked = { '1000': 'Application Error', '1001': 'Windows Error Reporting', } import libs.ParseEvtx.Evtx as evtx with evtx.Evtx(full_path) as log: for event in log.records(): try: system_tag = event.lxml()[0] logged_time = system_tag[5].get("SystemTime") provider_name = system_tag[0].get("Name") event_id = system_tag[1].text if not logged_time: continue checked_id = list(checked.keys()) if event_id in checked_id and provider_name == checked[event_id]: # if self.timeline: # if datetime.datetime.strptime(logged_time, "%Y-%m-%d %H:%M:%S.%f") < self.timeline: # logging.info("[Exception] EID - {}, {} was skipped, it's more older timeline".format(event_id, provider_name)) # continue if system_tag[2].text == '4': level = 'Information' elif system_tag[2].text == '3': level = 'Warning' elif system_tag[2].text == '2': level = 'Error' elif system_tag[2].text == '1': level = 'Fatal' if event_id == checked_id[0]: data_tag = event.lxml()[1] etc = data_tag[0].text # idx - 0 (SW), 3 (Module), 6 (Exception Code) swNum = 0 for sw in checked_sw: if etc.upper() in sw: swNum = checked_sw.index(sw) + 1 colorNum = color_number[swNum-1][0] break if not swNum: continue items.append([ [CONSTANT.EVENTLOG_KEYWORD, False, swNum, colorNum], logged_time, provider_name, event_id, level, etc, event.xml() ]) elif event_id == checked_id[1]: data_tag = event.lxml()[1] etc = data_tag[5].text # idx - 5 (SW), 8 (Module), 11 (Exception Code), 16 (PATH) swNum = 0 for sw in checked_sw: if etc.upper() in sw: swNum = checked_sw.index(sw) + 1 colorNum = color_number[swNum-1][1] break if not swNum: continue if data_tag[16].text: wer_list.append([data_tag[16].text, data_tag[8].text, data_tag[11].text, swNum]) items.append([ [CONSTANT.EVENTLOG_KEYWORD, False, swNum, colorNum], logged_time, provider_name, event_id, level, etc, event.xml()]) except Exception as e: if event_id in checked_id: logging.info('[Error] EID - {} in "{}": {}'.format(event_id, evtx_name, e)) if wer_list: self.getReportWER(wer_list) self.artifacts_list += items self.completed.emit()