def listen(self, honeypot_configuration): h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe( self.log_type, win32evtlog.EvtSubscribeStartAtOldestRecord, SignalEvent=h, Query=self.query_text) while True: while True: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break for event in events: event_id = None event_format_xml = win32evtlog.EvtRender( event, win32evtlog.EvtRenderEventXml) event_format_dict = xmltodict.parse(event_format_xml) if isinstance( event_format_dict['Event']['System']['EventID'], str): event_id = event_format_dict['Event']['System'][ 'EventID'] else: event_id = event_format_dict['Event']['System'][ 'EventID']['#text'] honeypot = self.__identify_honeypot( event_id, event_format_xml, honeypot_configuration) if honeypot is not None: self.__alert(event_format_dict, event_id, honeypot) while True: print("Waiting " + self.log_type) w = win32event.WaitForSingleObjectEx(h, 10000, True) if w == win32con.WAIT_OBJECT_0: break
def register_listener(callback_func=print_event): ''' 开始监听Sysmon事件,当事件发生的时候调用监听函数。 ''' query_text = "*" channel_path = "Microsoft-Windows-Sysmon/Operational" h_evt = win32event.CreateEvent(None, 0, 0, None) h_sub = win32evtlog.EvtSubscribe(channel_path, win32evtlog.EvtSubscribeToFutureEvents, SignalEvent=h_evt, Query=query_text) print("开始监听可疑事件") while True: while True: events = win32evtlog.EvtNext(h_sub, 10) if len(events) == 0: break # print('retrieved %s events' %len(events)) for event in events: callback_func(event) while True: # print ('waiting...') w = win32event.WaitForSingleObjectEx(h_evt, 2000, True) if w == win32con.WAIT_OBJECT_0: break
def subscribe_and_yield_events(channel, query="*"): #SUBSCRIBE h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe(channel, win32evtlog.EvtSubscribeToFutureEvents, SignalEvent=h, Query=query) #LOOP while True: while True: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break for event in events: raw_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) er = LogEvent(raw_xml, source_os=detect_current_os()) if er.is_valid(): yield er else: print("[ERROR] Parsing error") while True: #print('waiting...') w = win32event.WaitForSingleObjectEx(h, 200, True) if w == win32con.WAIT_OBJECT_0: break
def create_subscription(self): # https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa # http://timgolden.me.uk/pywin32-docs/win32event__CreateEvent_meth.html self._event_handle = win32event.CreateEvent(None, 0, 0, self.check_id) bookmark = self.read_persistent_cache('bookmark') if bookmark: flags = win32evtlog.EvtSubscribeStartAfterBookmark else: flags = self.START_OPTIONS[self._subscription_start] # Set explicitly to None rather than a potentially empty string bookmark = None # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtcreatebookmark # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtCreateBookmark_meth.html self._bookmark_handle = win32evtlog.EvtCreateBookmark(bookmark) # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtSubscribe_meth.html self._subscription = win32evtlog.EvtSubscribe( self._path, flags, SignalEvent=self._event_handle, Query=self._query, Session=self._session, Bookmark=self._bookmark_handle if bookmark else None, ) # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtcreaterendercontext # https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_render_context_flags self._render_context_system = win32evtlog.EvtCreateRenderContext( win32evtlog.EvtRenderContextSystem) self._render_context_data = win32evtlog.EvtCreateRenderContext( win32evtlog.EvtRenderContextUser)
def load_checkpoints( self, checkpoints ): # only use new checkpoints if 'api' not in checkpoints or checkpoints['api'] != 'new': checkpoints = {} self._checkpoints['api'] = 'new' self._checkpoints['bookmarks'] = {} if 'bookmarks' not in checkpoints: checkpoints['bookmarks'] = {} for channel, bookmarkXml in checkpoints['bookmarks'].iteritems(): self.__bookmarks[channel] = win32evtlog.EvtCreateBookmark( bookmarkXml ) # subscribe to channels for info in self.__channels: channel_list = info['channel'] query = info['query'] for channel in channel_list: self._logger.info( "subscribing to %s, %s", channel, query ) # subscribe to future events flags = win32evtlog.EvtSubscribeToFutureEvents bookmark = None try: # unless we have a bookmark for this channel self.__bookmark_lock.acquire() if channel in self.__bookmarks: flags = win32evtlog.EvtSubscribeStartAfterBookmark bookmark = self.__bookmarks[channel] finally: self.__bookmark_lock.release() self.__eventHandles.append( win32evtlog.EvtSubscribe( channel, flags, Bookmark=bookmark, Query=query, Callback=event_callback, Context=self ) )
def test_channel_existence(channel): h = win32event.CreateEvent(None, 0, 0, None) try: win32evtlog.EvtSubscribe(channel, win32evtlog.EvtSubscribeToFutureEvents, SignalEvent=h, Query='*') except pywintypes.error as e: return False return True
def subscribe(self, log_name, query='*'): if log_name in self.__subscriptions: return True try: subscription = win32evtlog.EvtSubscribe( log_name, win32evtlog.EvtSubscribeToFutureEvents, Query=query, Callback=self.__log_callback, Context=log_name) self.__subscriptions[log_name] = subscription except win32evtlog.error: return False return True
def _subscribe_to_events(self): """ Go through all channels, and create an event subscription to that channel. If a bookmark exists for a given channel, start the events from that bookmark, otherwise subscribe to future events only. """ for info in self.__channels: channel_list = info["channel"] query = info["query"] for channel in channel_list: self._logger.info("subscribing to %s, %s", channel, query) # subscribe to future events flags = win32evtlog.EvtSubscribeToFutureEvents bookmark = None try: # unless we have a bookmark for this channel self.__bookmark_lock.acquire() if channel in self.__bookmarks: flags = win32evtlog.EvtSubscribeStartAfterBookmark bookmark = self.__bookmarks[channel] finally: self.__bookmark_lock.release() error_message = None try: handle = win32evtlog.EvtSubscribe( channel, flags, Bookmark=bookmark, Query=query, Callback=event_callback, Context=self, Session=self._session, ) except Exception as e: handle = None error_message = win32api.FormatMessage(0) if handle is None: self._logger.warn( "Error subscribing to channel '%s' - %s" % (channel, error_message) ) else: self.__eventHandles.append(handle)
def add_event_handler(s, task): def run_task_with_data(reason, context, event): ' Converts event XML to dictionary ' r''' <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" /> <EventID Qualifiers="0">10010</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2021-02-10T12:24:20.581005200Z" /> <EventRecordID>729301</EventRecordID> <Correlation /> <Execution ProcessID="952" ThreadID="41804" /> <Channel>System</Channel> <Computer>DB</Computer> <Security UserID="S-1-5-20" /> </System> <EventData> <Data Name="param1">{AAC1009F-AB33-48F9-9A21-7F5B88426A2E}</Data> </EventData> </Event> ''' xml_str = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) s.run_task(task=task, caller=CALLER_EVENT, data=DataEvent(xml_str)) try: s.event_handlers.append( win32evtlog.EvtSubscribe( task['event_log'], win32evtlog.EvtSubscribeToFutureEvents, None, run_task_with_data, None, task['event_xpath'], None, None)) except: msgbox_warning( lang.warn_event_format.format(task['task_name_full']))
## Demonstrates how to create a "pull" subscription import win32evtlog, win32event, win32con query_text = '*[System[Provider[@Name="Microsoft-Windows-Winlogon"]]]' h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe('System', win32evtlog.EvtSubscribeStartAtOldestRecord, SignalEvent=h, Query=query_text) while 1: while 1: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break ##for event in events: ## print(win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)) print('retrieved %s events' % len(events)) while 1: print('waiting...') w = win32event.WaitForSingleObjectEx(h, 2000, True) if w == win32con.WAIT_OBJECT_0: break
# Demonstrates a "push" subscription with a callback function import win32evtlog query_text = '*[System[Provider[@Name="Microsoft-Windows-Winlogon"]]]' def c(reason, context, evt): if reason == win32evtlog.EvtSubscribeActionError: print('EvtSubscribeActionError') elif reason == win32evtlog.EvtSubscribeActionDeliver: print('EvtSubscribeActionDeliver') else: print(('??? Unknown action ???', reason)) context.append(win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml)) return 0 evttext = [] s = win32evtlog.EvtSubscribe( 'System', win32evtlog.EvtSubscribeStartAtOldestRecord, Query='*', Callback=c, Context=evttext)
## Demonstrates a "push" subscription with a callback function import win32evtlog query_text = '*[System[Provider[@Name="Microsoft-Windows-Winlogon"]]]' def c(reason, context, evt): if reason == win32evtlog.EvtSubscribeActionError: print("EvtSubscribeActionError") elif reason == win32evtlog.EvtSubscribeActionDeliver: print("EvtSubscribeActionDeliver") else: print("??? Unknown action ???", reason) context.append(win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml)) return 0 evttext = [] s = win32evtlog.EvtSubscribe( "System", win32evtlog.EvtSubscribeStartAtOldestRecord, Query="*", Callback=c, Context=evttext, )
win32evtlog.EvtRpcLoginAuthDefault) evtSession = win32evtlog.EvtOpenSession(evtSessionCredentials, win32evtlog.EvtRpcLogin, 0, 0) XPathQuery = "*[System[({})]".format( ' or '.join("EventID=" + str(x) for x in eventIDs) ) # The XPath-styled query to tell the domain controller which events to return #evt1: int specifying why the function was called | evt2: context object (5th parameter in EvtSubscribe) | evt3: event content def eventTriggered(evt1, evt2, evt3): print("Triggered") print(evt1) print(evt2) print(win32evtlog.EvtRender(evt3, win32evtlog.EvtRenderEventXml)) win32event.PulseEvent(evtHandle) evtHandle = win32event.CreateEvent(None, 0, 0, None) x = win32evtlog.EvtSubscribe(eventlog, win32evtlog.EvtSubscribeToFutureEvents, None, eventTriggered, None, XPathQuery, None, None) while True: if win32event.WaitForSingleObject( evtHandle, 600000 ) == win32event.WAIT_OBJECT_0: # Not really necessary to have this or PulseEvent. Probably better to do everything in eventTriggered. # print(win32evtlog.EvtRender(x, win32evtlog.EvtRenderEventXml)) pass else: print('timeout')