def register_listener(callback_func=print_event): ''' 开始监听Sysmon事件,当事件发生的时候调用监听函数。 ''' query_text = "*" channel_path = "Microsoft-Windows-Sysmon/Operational" h_evt = win32event.CreateEvent(None, 0, 0, None) h_sub = win32evtlog.EvtSubscribe(channel_path, win32evtlog.EvtSubscribeToFutureEvents, SignalEvent=h_evt, Query=query_text) print("开始监听可疑事件") while True: while True: events = win32evtlog.EvtNext(h_sub, 10) if len(events) == 0: break # print('retrieved %s events' %len(events)) for event in events: callback_func(event) while True: # print ('waiting...') w = win32event.WaitForSingleObjectEx(h_evt, 2000, True) if w == win32con.WAIT_OBJECT_0: break
def listen(self, honeypot_configuration): h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe( self.log_type, win32evtlog.EvtSubscribeStartAtOldestRecord, SignalEvent=h, Query=self.query_text) while True: while True: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break for event in events: event_id = None event_format_xml = win32evtlog.EvtRender( event, win32evtlog.EvtRenderEventXml) event_format_dict = xmltodict.parse(event_format_xml) if isinstance( event_format_dict['Event']['System']['EventID'], str): event_id = event_format_dict['Event']['System'][ 'EventID'] else: event_id = event_format_dict['Event']['System'][ 'EventID']['#text'] honeypot = self.__identify_honeypot( event_id, event_format_xml, honeypot_configuration) if honeypot is not None: self.__alert(event_format_dict, event_id, honeypot) while True: print("Waiting " + self.log_type) w = win32event.WaitForSingleObjectEx(h, 10000, True) if w == win32con.WAIT_OBJECT_0: break
def poll_events(self): while True: # IMPORTANT: the subscription starts immediately so you must consume before waiting for the first signal while True: # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtnext # https://mhammond.github.io/pywin32/win32evtlog__EvtNext_meth.html # # An error saying EvtNext: The operation identifier is not valid happens # when you call the method and there are no events to read (i.e. polling). # There is an unreleased upstream contribution to return # an empty tuple instead https://github.com/mhammond/pywin32/pull/1648 # For the moment is logged as a debug line. try: events = win32evtlog.EvtNext(self._subscription, self.config.payload_size) except pywintypes.error as e: self.log_windows_error(e) break else: if not events: break for event in events: yield event # https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobjectex # https://mhammond.github.io/pywin32/win32event__WaitForSingleObjectEx_meth.html wait_signal = win32event.WaitForSingleObjectEx( self._event_handle, self.config.timeout, True) # No more events, end check run if wait_signal != win32con.WAIT_OBJECT_0: break
def get_last_days_history(days, callback_func=print_event): count = 0 print("Get last " + str(days) + " days history...") today_time = datetime.datetime.now(tz.tzlocal()) path = "Microsoft-Windows-Sysmon/Operational" handle = win32evtlog.EvtQuery( # Get event log path, win32evtlog.EvtQueryReverseDirection, # "Event/System[EventID=5]", # None ) while 1: events = win32evtlog.EvtNext(handle, 10) if len(events) == 0: # remove parsed events # win32evtlog.ClearEventLog(handle, None): Access Violation (0xC0000005) print("done") break for event in events: count += 1 print_event(event) if count % 1000 == 0: print(count)
def poll_events(self): while True: # IMPORTANT: the subscription starts immediately so you must consume before waiting for the first signal while True: # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtnext # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtNext_meth.html try: events = win32evtlog.EvtNext(self._subscription, self._payload_size) except pywintypes.error as e: self.log_windows_error(e) break else: if not events: break for event in events: yield event # https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobjectex # http://timgolden.me.uk/pywin32-docs/win32event__WaitForSingleObjectEx_meth.html wait_signal = win32event.WaitForSingleObjectEx( self._event_handle, self._timeout, True) # No more events, end check run if wait_signal != win32con.WAIT_OBJECT_0: break
def subscribe_and_yield_events(channel, query="*"): #SUBSCRIBE h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe(channel, win32evtlog.EvtSubscribeToFutureEvents, SignalEvent=h, Query=query) #LOOP while True: while True: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break for event in events: raw_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) er = LogEvent(raw_xml, source_os=detect_current_os()) if er.is_valid(): yield er else: print("[ERROR] Parsing error") while True: #print('waiting...') w = win32event.WaitForSingleObjectEx(h, 200, True) if w == win32con.WAIT_OBJECT_0: break
def get_events_xmls(channel_name="Microsoft-Windows-PrintService/Operational", events_batch_num=100, backwards=True): ret = list() flags = win32evtlog.EvtQueryChannelPath if backwards: flags |= win32evtlog.EvtQueryReverseDirection try: query_results = win32evtlog.EvtQuery(channel_name, flags, None, None) except pywintypes.error as e: print(e) return ret events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE, 0) while events: for event in events: ret.append( win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)) events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE, 0) return ret
def load_log_data(log_file): query_handle = win32evtlog.EvtQuery(log_file, win32evtlog.EvtQueryFilePath) xml_list = [] while True: events = win32evtlog.EvtNext(query_handle, 1) # if there is no record break the loop if len(events) == 0: break else: xml_content = win32evtlog.EvtRender(events[0], win32evtlog.EvtRenderEventXml) xml_list.append(xml_content) return xml_list
## Demonstrates how to create a "pull" subscription import win32evtlog, win32event, win32con query_text = '*[System[Provider[@Name="Microsoft-Windows-Winlogon"]]]' h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe('System', win32evtlog.EvtSubscribeStartAtOldestRecord, SignalEvent=h, Query=query_text) while 1: while 1: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break ##for event in events: ## print(win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)) print('retrieved %s events' % len(events)) while 1: print('waiting...') w = win32event.WaitForSingleObjectEx(h, 2000, True) if w == win32con.WAIT_OBJECT_0: break
def main(): path = 'System' num_events = 5 if len(sys.argv) > 2: path = sys.argv[1] num_events = int(sys.argv[2]) elif len(sys.argv) > 1: path = sys.argv[1] query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection) events = win32evtlog.EvtNext(query, num_events) context = win32evtlog.EvtCreateRenderContext( win32evtlog.EvtRenderContextSystem) for i, event in enumerate(events, 1): result = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=context) print(('Event {}'.format(i))) level_value, level_variant = result[win32evtlog.EvtSystemLevel] if level_variant != win32evtlog.EvtVarTypeNull: if level_value == 1: print(' Level: CRITICAL') elif level_value == 2: print(' Level: ERROR') elif level_value == 3: print(' Level: WARNING') elif level_value == 4: print(' Level: INFO') elif level_value == 5: print(' Level: VERBOSE') else: print(' Level: UNKNOWN') time_created_value, time_created_variant = result[ win32evtlog.EvtSystemTimeCreated] if time_created_variant != win32evtlog.EvtVarTypeNull: print((' Timestamp: {}'.format(time_created_value.isoformat()))) computer_value, computer_variant = result[ win32evtlog.EvtSystemComputer] if computer_variant != win32evtlog.EvtVarTypeNull: print((' FQDN: {}'.format(computer_value))) provider_name_value, provider_name_variant = result[ win32evtlog.EvtSystemProviderName] if provider_name_variant != win32evtlog.EvtVarTypeNull: print((' Provider: {}'.format(provider_name_value))) try: metadata = win32evtlog.EvtOpenPublisherMetadata( provider_name_value) # pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.') except Exception: pass else: try: message = win32evtlog.EvtFormatMessage( metadata, event, win32evtlog.EvtFormatMessageEvent) # pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.') except Exception: pass else: print((' Message: {}'.format(message)))
def main(): path = "System" num_events = 5 if len(sys.argv) > 2: path = sys.argv[1] num_events = int(sys.argv[2]) elif len(sys.argv) > 1: path = sys.argv[1] query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection) events = win32evtlog.EvtNext(query, num_events) context = win32evtlog.EvtCreateRenderContext( win32evtlog.EvtRenderContextSystem) for i, event in enumerate(events, 1): result = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=context) print("Event {}".format(i)) level_value, level_variant = result[win32evtlog.EvtSystemLevel] if level_variant != win32evtlog.EvtVarTypeNull: if level_value == 1: print(" Level: CRITICAL") elif level_value == 2: print(" Level: ERROR") elif level_value == 3: print(" Level: WARNING") elif level_value == 4: print(" Level: INFO") elif level_value == 5: print(" Level: VERBOSE") else: print(" Level: UNKNOWN") time_created_value, time_created_variant = result[ win32evtlog.EvtSystemTimeCreated] if time_created_variant != win32evtlog.EvtVarTypeNull: print(" Timestamp: {}".format(time_created_value.isoformat())) computer_value, computer_variant = result[ win32evtlog.EvtSystemComputer] if computer_variant != win32evtlog.EvtVarTypeNull: print(" FQDN: {}".format(computer_value)) provider_name_value, provider_name_variant = result[ win32evtlog.EvtSystemProviderName] if provider_name_variant != win32evtlog.EvtVarTypeNull: print(" Provider: {}".format(provider_name_value)) try: metadata = win32evtlog.EvtOpenPublisherMetadata( provider_name_value) # pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.') except Exception: pass else: try: message = win32evtlog.EvtFormatMessage( metadata, event, win32evtlog.EvtFormatMessageEvent) # pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.') except Exception: pass else: try: print(" Message: {}".format(message)) except UnicodeEncodeError: # Obscure error when run under subprocess.Popen(), presumably due to # not knowing the correct encoding for the console. # > UnicodeEncodeError: \'charmap\' codec can\'t encode character \'\\u200e\' in position 57: character maps to <undefined>\r\n' # Can't reproduce when running manually, so it seems more a subprocess.Popen() # than ours: print(" Failed to decode:", repr(message))
query = "<QueryList>\ <Query Id=\"0\" Path=\"Microsoft-Windows-Sysmon/Operational\">\ <Select Path=\"Microsoft-Windows-Sysmon/Operational\">\ *[System[TimeCreated[@SystemTime>='2021-05-16T20:33:56.001Z' and @SystemTime<='2021-05-16T20:33:57.000Z']]]\ </Select>\ </Query>\ </QueryList>\ " path = "Microsoft-Windows-Sysmon/Operational" handle = win32evtlog.EvtQuery( # Get event log path, win32evtlog.EvtQueryReverseDirection, query, None) while 1: events = win32evtlog.EvtNext(handle, 10) if len(events) == 0: # remove parsed events # win32evtlog.ClearEventLog(handle, None): Access Violation (0xC0000005) break for event in events: count += 1 print(count) if count % 1 == 0: # print(count) record = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) ##print(event) # print(record)