def parse(self, sketch_id):
events = set()
for timesketch_event in event_stream(sketch_id=sketch_id,
query=u'event_identifier:4624'):
xml_data = timesketch_event[u'_source'].get(u'xml_string')
timestamp = timesketch_event[u'_source'].get(u'timestamp')
event_data = self.parse_xml(xml_data)
event_data.append(timestamp)
events.add(tuple(event_data))
# Figure out hostname
for event in events:
src_ip = event[0]
src_hostname = event[1]
dst_hostname = event[2]
username = event[3]
logon_type = event[4]
timestamp = event[5]
es_index_name = timesketch_event.get(u'_index')
es_id = timesketch_event.get(u'_id')
if src_ip in self.LOCALHOST:
src_ip = None
if not src_hostname:
if not src_ip:
src_hostname = dst_hostname
else:
src_hostname = self.kb.get(src_ip)
yield (src_hostname, username, dst_hostname, logon_type, timestamp,
es_index_name, es_id)
def win_services(sketch_id):
events = set()
for event in event_stream(sketch_id=sketch_id,
query=u'event_identifier:7045'):
data = event[u'_source'][u'xml_string']
res = parse_xml(data)
res.extend((event[u'_source'].get(u'timestamp'), event.get(u'_index'),
event.get(u'_id')))
res = tuple(res)
if res:
events.add(res)
result = []
for event in events:
src_ws = event[0]
svc_name = event[1]
start_type = event[2]
image_path = event[3]
image_path_short = image_path.strip().strip('\\').split('\\')[-1]
timestamp = event[4]
es_index_name = event[5]
es_id = event[6]
src_ws = src_ws.split('.')[0].upper()
result.append({
u'src':
src_ws,
u'svc_name':
svc_name,
u'start_type':
start_type,
u'image_path':
image_path,
u'image_path_short':
image_path_short,
u'timestamp':
timestamp,
u'es_index_name':
es_index_name,
u'es_query':
u'_index:{} AND _id:{}'.format(es_index_name, es_id)
})
return result
def win_services(sketch_id):
events = set()
for event in event_stream(
sketch_id=sketch_id, query='event_identifier:7045'):
data = event['_source']['xml_string']
res = parse_xml(data)
res.extend(
(
event['_source'].get('timestamp'),
event.get('_index'),
event.get('_id')
)
)
res = tuple(res)
if res:
events.add(res)
result = []
for event in events:
src_ws = event[0]
svc_name = event[1]
start_type = event[2]
image_path = event[3]
image_path_short = image_path.strip().strip('\\').split('\\')[-1]
timestamp = event[4]
es_index_name = event[5]
es_id = event[6]
src_ws = src_ws.split('.')[0].upper()
result.append({
'src': src_ws,
'svc_name': svc_name,
'start_type': start_type,
'image_path': image_path,
'image_path_short': image_path_short,
'timestamp': timestamp,
'es_index_name': es_index_name,
'es_query': '_index:{} AND _id:{}'.format(es_index_name, es_id)
})
return result
def main():
parser = argparse.ArgumentParser(description='Extract Windows services')
parser.add_argument(
'--sketch', type=int, required=True, help='ID of Timesketch sketch')
args = parser.parse_args()
events = set()
sketch_id = args.sketch
for event in event_stream(
sketch_id=sketch_id, query='event_identifier:7045'):
data = event['_source']['xml_string']
res = parse_xml(data)
if res:
events.add(res)
csvwriter = csv.writer(sys.stdout, delimiter=',')
csvwriter.writerow(['src', 'svc_name', 'start_type', 'image_path'])
for event in events:
src_ws, svc_name, start_type, image_path = event
src_ws = src_ws.split('.')[0].upper()
csvwriter.writerow([src_ws, svc_name, start_type, image_path])