Exemplo n.º 1
0
def Logminer():
    ChooseEvtx=input(bold('请选择的日志序号:		(1.应用日志;2.安全日志;3.系统日志)\n\n')+Input())
    if ChooseEvtx == '1':
        EvtxPath= r"C:\WINDOWS\System32\Winevt\Logs\Application.evtx"
    elif ChooseEvtx == '2':
        EvtxPath= r"C:\WINDOWS\System32\Winevt\Logs\Security.evtx"
    else:
        EvtxPath= r"C:\WINDOWS\System32\Winevt\Logs\System.evtx"

    try:#默认选择&&防止转换失败
        EventID=int(input(bold('请输入提取的事件ID:		(默认:4624)\n\n')+Input()))
    except:
        EventID=4624

    try:
        with open(EvtxPath,'r') as f:
            with contextlib.closing(mmap.mmap(f.fileno(),0,access=mmap.ACCESS_READ)) as buffer:
                bufferHeader = FileHeader(buffer,0)
                for xml, record in evtx_file_xml_view(bufferHeader):
                    InterestEvent(xml,EventID)
                print(Result+"日志审计完毕……")
    except:
        print(Processing+'提示:由于Python权限低无法读取系统文件,需手动复制文件于当前目录,且文件名改为“log.evtx”!')
        with open(r"./log.evtx",'r') as f:#可写死文件目录结局python权限低导致无法读取系统某些目录
            with contextlib.closing(mmap.mmap(f.fileno(),0,access=mmap.ACCESS_READ)) as buffer:
                bufferHeader = FileHeader(buffer,0)
                print("")
                print(Processing+"读取成功,正在检查数据……")
                for xml, record in evtx_file_xml_view(bufferHeader):
                    InterestEvent(xml,EventID)
                print(Result+"日志审计完毕……")
Exemplo n.º 2
0
def main():
    final_count = {}
    evt = input('[1]获取系统安全日志\n[2]获取evtx日志文件\n')
    if evt == "1":
        try:
            query = EventLog.Query("Security", "Event/EventData/Data[@Name='LogonType']")
            print('<----------start---------->')
            for event in query:
                i = event.xml
                final_count = analyze(i,final_count)
        except:
            input('请以管理员的方式打开,按回车键退出')
            return
    elif evt == "2":
        EvtxPath = input('[*]请输入文件路径:')
        with open(EvtxPath, 'r') as f:
            with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
                print('<----------start---------->')
                fh = FileHeader(buf, 0)
                for xml, record in evtx_file_xml_view(fh):
                    final_count = analyze(xml,final_count)

    file = 'log{}.html'.format(''.join([str(x) for x in time.localtime(int(time.time()))]))
    with open(file, 'w', encoding='utf-8') as f:
        f.write(html_head + str(final_count) + "\nlet timeList=" + str(time_list) + html_foot)
    print(file + "已保存")
    input('按回车键退出')
Exemplo n.º 3
0
def ParseEvtx(files):
    writefile = open("..\\RESULTS\\EventLog.txt", "a+")

    with Evtx(files) as evtx:
        total = sum(1 for i in evtx.records())

    with open(files, 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            writefile.write(
                "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>"
            )
            writefile.write("<Events>")
            count = 0
            for xml, record in evtx_file_xml_view(fh):
                count += 1
                writefile.write(ascii(xml))
                bar_len = 55
                filled_len = int(round(bar_len * count / float(total)))
                percents = round(100.0 * count / float(total), 1)
                bar = '=' * filled_len + '-' * (bar_len - filled_len)
                sys.stdout.write('[%s] %s%s %s/%s \r' %
                                 (bar, percents, '%', count, total))
                sys.stdout.flush()
                writefile.write("</Events>")
    print
    print
Exemplo n.º 4
0
def dump_event_log(event_file, xml_format):

    if os.path.isfile(event_file) is False:
        print("The log file : " + event_file + " is not found.")
        return

    print("USB related event(s) found in the event log :")
    print("=============================================\n")

    with open(event_file, 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)

            for xml, record in evtx_file_xml_view(fh):
                root = ET.fromstring(xml)
                if root[0][1].text == '1003':
                    if xml_format:
                        print xml
                    else:
                        print root[0][7].get(
                            'SystemTime'
                        ) + " EventID : " + root[0][
                            1].text + " Computer : " + root[0][
                                12].text + " User SID : " + root[0][13].get(
                                    'UserID'
                                ) + " User : "******"\n"
Exemplo n.º 5
0
def printToAscii(buf):
    fh = FileHeader(buf, 0x0)
    print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
    print("<Events>")
    for xml, record in evtx_file_xml_view(fh):
        print(ascii(xml))
    print("</Events>")
Exemplo n.º 6
0
def xml_records(filename):
    if OPTIONS.alternate:
        with Evtx(filename) as evtx:
            try:
                for xml, record in evtx_file_xml_view(evtx.get_file_header()):
                    try:
                        yield ef.to_lxml(xml), None
                    except etree.XMLSyntaxError as e:
                        yield xml, e
            except BinaryParser.OverrunBufferException as e:
                logging.error("Overrun Buffer Exception!")
                yield None, e
            except BinaryParser.ParseException as e:
                logging.error("Parse Exception!")
                yield None, e
            except Exception as e:  # UnicodeDecodeError, AttributeError
                logging.error(e)
                yield None, e
    else:
        parser = PyEvtxParser(filename)
        try:
            for record in parser.records():
                try:
                    yield ef.to_lxml(record['data']), None
                except etree.XMLSyntaxError as e:
                    yield record['data'], e
        except Exception as e:  # UnicodeDecodeError, AttributeError, RuntimeError
            logging.error(e)
            yield None, e
Exemplo n.º 7
0
def xml_records(filename):
    with Evtx(filename) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                yield to_lxml(xml), None
            except etree.XMLSyntaxError as e:
                yield xml, e, fh
Exemplo n.º 8
0
def get_Scripts(evtx):
    '''
    Returns powershell scripts that were run on the system by parsing the Windows Powershell Logs.
    '''
    ps_scripts_ran = []

    for xml, record in evtx_file_xml_view(evtx.get_file_header()):
        try:
            for entry in to_lxml(xml):
                record_id = entry.xpath("/Event/System/EventRecordID")[0].text
                ctime = entry.xpath("/Event/System/TimeCreated")[0].get(
                    "SystemTime")
                event_id = to_lxml(xml).xpath("/Event/System/Task")[0].text

                try:
                    script_name = script_re.search(
                        str(
                            to_lxml(xml).xpath("/Event/EventData/Data/string")
                            [1].text)).group("scriptname")
                    message = str(
                        to_lxml(xml).xpath("/Event/EventData/Data/string")
                        [2].text).strip()
                    ps_scripts_ran.append([
                        record_id,
                        str(ctime).replace(" ", "T") + "Z", event_id,
                        script_name, message
                    ])

                except (IndexError, AttributeError) as e:
                    continue

        except etree.XMLSyntaxError as e:
            continue

    return ps_scripts_ran
Exemplo n.º 9
0
def parse_window_event_viewer(atm):
    atm.microsoft_event_viewer.file.open(mode='rb')
    data = atm.microsoft_event_viewer.file.read()

    fh = FileHeader(data, 0x0)
    for xml_line, record in evtx_file_xml_view(fh):
        # get date
        match = re.search(r'<TimeCreated SystemTime=\".*\"', xml_line)
        if not match:
            continue
        match = re.search(r'\d{2,4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}', match.group())
        if not match:
            continue
        date = match.group()
        # event record id
        match = re.search(r'<EventRecordID>\d*', xml_line)
        if not match:
            continue
        match = re.search(r'\d+', match.group())
        event_record_id = match.group()
        # event id
        match = re.search(r'<EventID Qualifiers="(\d+)?">\d+', xml_line)
        if not match:
            continue
        event_id = match.group().split(">")[1]
        context = xml_line
        AtmEventViewerEvent.objects.get_or_create(
            atm=atm,
            event_date=date,
            event_id=event_id,
            event_record_id=event_record_id,
            context=context
        )
Exemplo n.º 10
0
    def readLogFile(self, filename):
        #         parser = argparse.ArgumentParser(
        #             description="Dump a binary EVTX file into XML.")
        #         parser.add_argument("--cleanup", action="store_true",
        #                             help="Cleanup unused XML entities (slower)"),
        #         parser.add_argument("evtx", type=str,
        #                             help="Path to the Windows EVTX event log file")
        #         args = parser.parse_args()

        if(os.name == 'posix'):
            log_dir = log_dir_linux
        else:
            log_dir = log_dir_windows
        with open(os.path.join(log_dir, filename), 'r') as f:
            with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                              access=mmap.ACCESS_READ)) as buf:
                fh = FileHeader(buf, 0x0)
                print "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>"
                print "<Events>"
                count = 0
                for xml, record in evtx_file_xml_view(fh):
                    print xml
                    count += 1
                print "</Events>"
                print count, "events found"
Exemplo n.º 11
0
def xml_records(filename):
    if args.evtx:
        with Evtx(filename) as evtx:
            for xml, record in evtx_file_xml_view(evtx.get_file_header()):
                try:
                    yield to_lxml(xml), None
                except etree.XMLSyntaxError as e:
                    yield xml, e

    if args.xmls:
        with open(filename, 'r') as fx:
            xdata = fx.read()
            fixdata = xdata.replace(
                "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>",
                "").replace("</Events>", "").replace("<Events>", "")
            # fixdata = xdata.replace("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "")
            del xdata
            xml_list = re.split(
                "<Event xmlns=[\'\"]http://schemas.microsoft.com/win/2004/08/events/event[\'\"]>",
                fixdata)
            del fixdata
            for xml in xml_list:
                if xml.startswith("<System>"):
                    try:
                        yield to_lxml("<Event>" + xml), None
                    except etree.XMLSyntaxError as e:
                        yield xml, e
Exemplo n.º 12
0
def ParseEvtx(files):
    writefile = open("..\\RESULTS\\EventLog.txt", "a+")
    
    with Evtx(files) as evtx:
        total = sum(1 for i in evtx.records())
    
    with open(files, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            writefile.write("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
            writefile.write("<Events>")
            count = 0
            for xml, record in evtx_file_xml_view(fh):
                count += 1
                writefile.write(ascii(xml))
                bar_len = 55
                filled_len = int(round(bar_len * count / float(total)))
                percents = round(100.0 * count / float(total), 1)
                bar = '=' * filled_len + '-' * (bar_len - filled_len)
                sys.stdout.write('[%s] %s%s %s/%s \r' % (bar, percents, '%', count, total))
                sys.stdout.flush()
                writefile.write("</Events>")
    print
    print
Exemplo n.º 13
0
 def on_task_input(self, task, config):
     from Evtx.Evtx import FileHeader
     from Evtx.Views import evtx_file_xml_view
     entries = []
     t1 = datetime.now()
     ntot = 0
     nerr = 0
     # WARNING: to open an active Windows eventlog files (i.e. those in the
     # %SystemRoot%\System32\Winevt\Logs\ path) Flexget will need to run as 
     # Administrator, otherwise open() will raise a "permission denied"
     # error. Exported logs can be accessed without special permissions.
     with open(config['filename'], 'r') as f:
         with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
             fh = FileHeader(buf, 0x0)
             for xml, record in evtx_file_xml_view(fh):
                 ntot += 1
                 # some cleaning: namespaces here only makes accessing 
                 # nodes more difficult, while EventData content sometimes 
                 # fails ElementTree parsing (and it's useless too).
                 xml = xml.replace(' xmlns="http://schemas.microsoft.com/win/2004/08/events/event"', '')
                 if '<EventData>' in xml:
                     i1 = xml.index('<EventData>')-1
                     i2 = xml.index('</EventData>')+12
                     xml = xml[:i1] + xml[i2:]
                 try:
                     node = ET.fromstring(xml).find('System')
                 except:
                     nerr += 1  # malformed XML? lets skip this one...
                     continue
                 xprn = node.find('Provider').attrib['Name']
                 for prov in config['providers']:
                     cprn = prov.keys()[0]
                     if cprn == xprn:
                         erid = node.find('EventRecordID').text
                         xeid = int(node.find('EventID').text)
                         text = None
                         for e in prov[cprn]['events']:
                             ceid = e if type(e) is int else e.keys()[0]
                             if ceid == xeid:
                                 try:
                                     text = e[ceid]
                                 except:
                                     text = 'Undefined'
                         if text:
                             entry = Entry()
                             entry['title'] = entry['url'] = erid
                             entry['provider'] = cprn
                             entry['short_name'] = prov[cprn]['short'] if 'short' in prov[cprn] else cprn
                             entry['event_id'] = xeid
                             entry['event_text'] = text
                             entry['event_time'] = datetime.strptime(node.find('TimeCreated').attrib['SystemTime'], '%Y-%m-%d %H:%M:%S')
                             entries.append(entry)
                         break
     t2 = datetime.now()
     res = 'Parsed %d events in %d seconds' % (ntot, (t2-t1).seconds)
     if nerr:
         res += (' (%d skipped for xml issues)' % nerr)
     log.verbose(res)
     return entries
Exemplo n.º 14
0
def import_xml(filename):

	# 4624 - Login 		528
	# 4647 - Logoff 	551

	#[*] Keys: Category, Description, Data, Domain\User, Date&Time, Source, Computer, Time, Date, Type, Event

	sessions = {}
	user_sessions = {}
	count = 0

	with open(filename, 'r') as f:
		print "[*] Reading EVTX file %s" % filename
		with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
			fh = FileHeader(buf, 0x0)
			count = 0
			for xml, record in evtx_file_xml_view(fh):
				if (count % 2000) == 0:
					print "%s records read" % count
				count +=1
				
				match = eid_regex.search(xml)
				eid = int(match.group('eid'))
				session_id = get_data(xml, 'TargetLogonId')
				
				# Insert new session in dictionary
				if sessions.get(session_id, None) == None:
					sessions[session_id] = {}

				if eid in EVTX_LOGIN:

					if session_id:
						sessions[session_id] = {}
					else:
						continue

					info = {}
					info['logon_type'] = get_data(xml, 'LogonType')
					info['eid'] = str(eid)
					info['ip'] = get_data(xml, 'IpAddress') + ':' + get_data(xml, 'IpPort')
					info['datetime'] = parse(time_regex.search(xml).group('time')[:-7])

					sessions[session_id][str(eid)] = info
					username = get_data(xml, 'TargetDomainName') + '\\' + get_data(xml, 'TargetUserName')
					sessions[session_id]['username'] = username
				
				elif eid in EVTX_LOGOFF:
					# Ignore if orphan session
					if not sessions.get(session_id, None) == None:
						continue

					info = {}
					info['eid'] = str(eid)
					info['datetime'] = parse(time_regex.search(xml).group('time')[:-7])
					sessions[session_id][str(eid)] = info


	return sessions
Exemplo n.º 15
0
def main():
    parser = argparse.ArgumentParser(
        description="Find and Extract Windows Bits Events and output CSV",
        usage=
        'parse_evtx_BITS.py Microsoft-Windows-Bits-Client%4Operational.evtx -n'
    )
    parser.add_argument(
        "evtx",
        type=str,
        help='Microsoft-Windows-Bits-Client%4Operational.evtx ')
    parser.add_argument("-n",
                        "--NoHeader",
                        default=False,
                        action="store_true",
                        help="Do not print Header")

    args = parser.parse_args()

    if not args.NoHeader:
        print(Bits_Header)

    with open(args.evtx, 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            for xml, record in evtx_file_xml_view(fh):
                soup = BeautifulSoup(xml, "lxml")
                Date = soup.event.system.timecreated['systemtime']
                Date = Date[:-7]
                EventID = int(soup.event.system.eventid.string)
                Computer = soup.event.system.computer.string
                ProcessID = soup.event.system.execution['processid']
                ThreadID = soup.event.system.execution['threadid']
                if EventID in bits_ids:
                    event_info = "%s,%s,%s,%s,%s,%s," % (
                        Date, EventID, bits_ids[EventID], Computer, ProcessID,
                        ThreadID)

                    try:

                        event_data = {}
                        for child in soup.eventdata.children:
                            if type(child) is element.Tag:
                                val = child.text.replace(',', ';')
                                event_data[child['name']] = ' '.join(
                                    val.split())

                        event_data_result = []
                        for value in bits_data:
                            result = event_data.get(value)
                            if result is None:
                                result = ''
                            event_data_result.append(result)
                        output = ((event_info) +
                                  ','.join(map(str, event_data_result)))
                        print(output)
                    except:
                        pass
Exemplo n.º 16
0
def get_entries(evtx):
    """
    @rtype: generator of Entry
    """
    for xml, record in evtx_file_xml_view(evtx.get_file_header()):
        try:
            yield Entry(xml, record)
        except etree.XMLSyntaxError as e:
            continue
Exemplo n.º 17
0
def get_entries(evtx):
    """
    @rtype: generator of Entry
    """
    for xml, record in evtx_file_xml_view(evtx.get_file_header()):
        try:
            yield Entry(xml, record)
        except etree.XMLSyntaxError as e:
            continue
Exemplo n.º 18
0
def xml_records(filename):
    with Evtx(filename) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                logger.debug("Yielding XML")
                yield to_lxml(xml), None
            except etree.XMLSyntaxError as e:
                logger.error(e)
                yield xml, e
def parse_logs(file_path):
    xml_data = ''
    with open(file_path, 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0)
            # 遍历事件,创建Event事件
            for xml, record in evtx_file_xml_view(fh):
                xml_data += xml
    return xml_data  # 返回解析后的XML数据
def get_xml_info():
    for evt_buff in get_evt_buff(system_evt):
        fh = evtx.FileHeader(evt_buff, 0x0)

        for record_str, record in evtx_file_xml_view(fh):
            print record_str
            system = get_child(to_lxml(record_str.decode("gbk").encode("utf-8")), 'System')

            print get_child(system, 'EventID').text
            break
Exemplo n.º 21
0
def xml_records(filename):
    try:
        with Evtx(filename) as evtx:
            for xml, record in evtx_file_xml_view(evtx.get_file_header()):
                try:
                    yield etree.fromstring(xml), None
                except etree.XMLSyntaxError as e:
                    yield xml, e
    except IOError as e:
        sys.stderr.write("Error: Cannot open file {}\n".format(filename))
        sys.exit(2)
Exemplo n.º 22
0
def xml_records(filename):
    try:
        with Evtx(filename) as evtx:
            for xml, record in evtx_file_xml_view(evtx.get_file_header()):
                try:
                    yield etree.fromstring(xml), None
                except etree.XMLSyntaxError as e:
                    yield xml, e
    except IOError as e:
        sys.stderr.write("Error: Cannot open file {}\n".format(filename))
        sys.exit(2)
Exemplo n.º 23
0
 def parse_log_detail(self, filteID):
     with open(self.path, 'r') as f:
         with contextlib.closing(
                 mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
             fh = FileHeader(buf, 0)
             for xml, record in evtx_file_xml_view(fh):
                 # 只输出事件ID为4624的内容
                 # InterestEvent(xml,4624)
                 for time_create, IpAddress, ip, IpPort, targetUsername, ProcessName in self.filter_event(
                         xml, filteID):
                     self.printer(time_create, IpAddress, IpPort, ip,
                                  targetUsername, ProcessName)
Exemplo n.º 24
0
def EvtxtoXml(path):    # event log 파일인 evtx를 xml 형태로 변형해서 처리
    no = 0
    with open(path, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            for xml, record in evtx_file_xml_view(fh):
                print "================================"
                el = ykei(xml)  # xml로 변형된 내용을 이용해서 객체 생성 
                if el.parsingXml() != 0:    # 로그온-오프 로그가 아니면 db에 삽입하지 않음 
                    no += 1 # 번호 증가 
                    el.insertDB(no)
Exemplo n.º 25
0
def dump_driverframeworks_log(event_file, xml_format):

    events_list = list()

    if os.path.isfile(event_file) is False:
        print("The log file : " + event_file + " is not found.")
        return

    print("USB related event(s) found in the event log :")
    print("=============================================\n")

    with open(event_file, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)

            for xml, record in evtx_file_xml_view(fh):
                root = ET.fromstring(xml)

                if root[0][1].text == '2003' or root[0][1].text == '2004' or root[0][1].text == '2005' or \
                        root[0][1].text == '2010' or root[0][1].text == '2100' or root[0][1].text == '2102' or \
                        root[0][1].text == '2105':

                    if xml_format:
                        evt = EventXML(root[0][7].get('SystemTime'), xml)
                        events_list.append(evt)
                    else:
                        evt = Event(root[0][7].get('SystemTime'),
                                    root[0][1].text, root[0][12].text,
                                    root[0][13].get('UserID'),
                                    utils.find_username_by_sid(root[0][13].get('UserID')),
                                    str.split(str(root[1][0].tag), "}")[1],
                                    str(root[1][0].get('lifetime')),
                                    str(root[1][0].get('instance')))
                        events_list.append(evt)

            events_list.sort(key=lambda x: x.datetime)

            if xml_format:
                for eventxml in events_list:
                    print eventxml.xmlstring

            else:
                for event in events_list:
                    print "UTC Time : " + event.datetime
                    print "EventID : " + event.event_id + " | Description : " + event.description + \
                          " | Computer : " + event.computer_name + " | User SID : " + event.user_sid + \
                          " | User : "******"Lifetime : " + event.lifetime
                    print event.device_instance_id + "\n"

            print str(len(events_list)) + " event(s) found."
Exemplo n.º 26
0
def Magic(evtx):
    ps_scripts_ran = []
    for xml, row in evtx_file_xml_view(evtx.get_file_header()):
        try:
            for entry in to_lxml(xml):

                R_ID = entry.xpath("/Event/System/EventRecordID")[0].text
                #print R_ID
                ctime = entry.xpath("/Event/System/TimeCreated")[0].get(
                    "SystemTime")
                #print ctime
                Computer = entry.xpath("/Event/System/Computer")[0].text
                #print Computer
                user = entry.xpath("/Event/System/Security")[0].text
                #print user
                paths = str(
                    to_lxml(xml).xpath("/Event/EventData/Data")[0].text)
                path = ""
                for line in paths.split("\n"):
                    #print path
                    if "HostApplication" in line:
                        line.split("HostApplication=")[1]
                        path = line

                regex_Base64 = ""

                if "-EncodedCommand" in path:
                    regex_Base64 = (path.split("-EncodedCommand")[1]).strip()

                elif "-enc" in path:
                    regex_Base64 = (path.split("-enc")[1]).strip()

                else:
                    regex_Base64 = "No Base64 Found"

                exists = False
                for item in ps_scripts_ran:
                    if item[3] == path:
                        exists = True
                if not exists:
                    ps_scripts_ran.append([
                        R_ID,
                        str(ctime).replace(" ", "Timee") + "Z", Computer, path,
                        regex_Base64
                    ])

        except Exception:
            continue
    return ps_scripts_ran
Exemplo n.º 27
0
def extract_xml(evtx_file):
    """
        Parse the evtx file and extract just the xml parts of each event.
        If the function throws an error, we'll catch it and just return the value we have with the error.
    """
    with Evtx(evtx_file) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                # Successfully parsed! Return the lxml object

                yield to_lxml(xml), None
            except etree.XMLSyntaxError as e:
                # Parse failed, return what we have and an exception object

                yield xml, e
def xml_records(filename):
    """
    If the second return value is not None, then it is an
      Exception encountered during parsing.  The first return value
      will be the XML string.

    @type filename str
    @rtype: generator of (etree.Element or str), (None or Exception)
    """
    with Evtx(filename) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                yield to_lxml(xml), None
            except etree.XMLSyntaxError as e:
                yield xml, e
Exemplo n.º 29
0
def xml_records(filename):
    """
    If the second return value is not None, then it is an
      Exception encountered during parsing.  The first return value
      will be the XML string.

    @type filename str
    @rtype: generator of (etree.Element or str), (None or Exception)
    """
    with Evtx(filename) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                yield to_lxml(xml), None
            except etree.XMLSyntaxError as e:
                yield xml, e
Exemplo n.º 30
0
    def eventlog(self, path):
        """Iterates over the Events contained within the log at the given path.

        For each Event, yields a XML string.

        """
        self.logger.debug("Parsing Event log file %s.", path)

        with NamedTemporaryFile(buffering=0) as tempfile:
            self._filesystem.download(path, tempfile.name)

            file_header = FileHeader(tempfile.read(), 0)

            for xml_string, _ in evtx_file_xml_view(file_header):
                yield xml_string
def main():
    parser = argparse.ArgumentParser(
        description="Extract Common Windows Account Change Events",
        usage='parse_evtx_account_changes.py Security.evtx -n')
    parser.add_argument("evtx", type=str, help='Security.evtx ')
    parser.add_argument("-n",
                        "--NoHeader",
                        default=False,
                        action="store_true",
                        help="Do not print Header")

    args = parser.parse_args()

    header = (','.join(map(str, event_info_names + event_data_names)))
    if not args.NoHeader:
        print(header)

    with open(args.evtx, 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            for xml, record in evtx_file_xml_view(fh):
                soup = BeautifulSoup(xml, "lxml")
                Date = soup.event.system.timecreated['systemtime']
                Date = Date[:-7]
                EventID = int(soup.event.system.eventid.string)
                Computer = soup.event.system.computer.string
                if EventID in evtxs:
                    event_info = "%s,%s,%s,%s," % (Date, EventID,
                                                   evtxs[EventID], Computer)

                    try:
                        event_data = {}
                        for child in soup.eventdata.children:
                            if type(child) is element.Tag:
                                event_data[child['name']] = ' '.join(
                                    child.text.split())
                        event_data_result = []
                        for value in event_data_names:
                            result = event_data.get(value)
                            if result is None:
                                result = ''
                            event_data_result.append(result)
                        output = ((event_info) +
                                  ','.join(map(str, event_data_result)))
                        print(output)
                    except:
                        pass
Exemplo n.º 32
0
    def parse(filename):

        bulk_data = []
        with open(filename) as infile:

            with contextlib.closing(
                    mmap.mmap(infile.fileno(), 0,
                              access=mmap.ACCESS_READ)) as buf:
                fh = FileHeader(buf, 0x0)
                for xml, record in evtx_file_xml_view(fh):
                    contains_event_data = False

                    log_line = EvtxToElk.build_json(xml)
                    bulk_data.append(json.loads(json.dumps(log_line)))

        return bulk_data
Exemplo n.º 33
0
def main():
    parser = argparse.ArgumentParser(
        description="Extract Common Windows Scheduled Tasks Events to CSV")
    parser.add_argument(
        "WinEventLog",
        type=str,
        help="Path to Microsoft-Windows-TaskScheduler4Operational.evtx")
    args = parser.parse_args()
    with open(args.WinEventLog, 'r') as f:
        print(header)
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            for xml, record in evtx_file_xml_view(fh):
                soup = BeautifulSoup(xml, "lxml")
                Date = soup.event.system.timecreated['systemtime']
                Date = Date[:-7]
                EventID = int(soup.event.system.eventid.string)
                ProcessID = soup.event.system.execution['processid']
                ThreadID = soup.event.system.execution['threadid']
                EventDataName = soup.eventdata['name']
                Keywords = soup.event.system.keywords.string
                if EventID:
                    event_info = "%s,%s,%s,%s,%s," % \
                        (Date,
                        EventID,
                        EventDataName,
                        ProcessID,
                        ThreadID)

                    try:
                        event_data = {}
                        for child in soup.eventdata.children:
                            if type(child) is element.Tag:
                                event_data[child['name']] = ' '.join(
                                    child.text.split())
                        event_data_result = []
                        for value in event_data_names:
                            result = event_data.get(value)
                            if result is None:
                                result = ''
                            event_data_result.append(result)
                    except:
                        pass

                    print((event_info) + ','.join(map(str, event_data_result)))
Exemplo n.º 34
0
def main():
    parser = argparse.ArgumentParser(
        description="Dump a binary EVTX file into XML.")
    parser.add_argument("--cleanup", action="store_true",
                        help="Cleanup unused XML entities (slower)"),
    parser.add_argument("evtx", type=str,
                        help="Path to the Windows EVTX event log file")
    args = parser.parse_args()

    with open(args.evtx, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
            print("<Events>")
            for xml, record in evtx_file_xml_view(fh):
                print(ascii(xml))
            print("</Events>")
Exemplo n.º 35
0
def main():
    parser = argparse.ArgumentParser(
        description="Dump a binary EVTX file into XML.")
    parser.add_argument("--cleanup", action="store_true",
                        help="Cleanup unused XML entities (slower)"),
    parser.add_argument("evtx", type=str,
                        help="Path to the Windows EVTX event log file")
    args = parser.parse_args()

    with open(args.evtx, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            print "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>"
            print "<Events>"
            for xml, record in evtx_file_xml_view(fh):
                print xml
            print "</Events>"
def main():
    import argparse

    parser = argparse.ArgumentParser(
        description="Print the record numbers of EVTX log entries " "that match the given EID."
    )
    parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file")
    parser.add_argument("eid", type=int, help="The EID of records to extract")
    args = parser.parse_args()

    with Evtx(args.evtx) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                node = to_lxml(xml)
            except XMLSyntaxError:
                continue
            if args.eid != int(get_child(get_child(node, "System"), "EventID").text):
                continue
            print(record.record_num())
Exemplo n.º 37
0
def main():
    import argparse

    parser = argparse.ArgumentParser(
        description="Print the record numbers of EVTX log entries "
                    "that match the given EID.")
    parser.add_argument("evtx", type=str,
                        help="Path to the Windows EVTX file")
    parser.add_argument("eid", type=int,
                        help="The EID of records to extract")
    args = parser.parse_args()

    with Evtx(args.evtx) as evtx:
        for xml, record in evtx_file_xml_view(evtx.get_file_header()):
            try:
                node = to_lxml(xml)
            except XMLSyntaxError:
                continue
            if args.eid != int(get_child(get_child(node, "System"), "EventID").text):
                continue
            print record.record_num()
Exemplo n.º 38
0
def main():
    parser = argparse.ArgumentParser(description="Dump specific event ids from a binary EVTX file into XML.")
    parser.add_argument("--cleanup", action="store_true", help="Cleanup unused XML entities (slower)"),
    parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file")
    parser.add_argument("out", type=str, help="Path and name of the output file")
    parser.add_argument("--eventID", type=int, help="Event id that should be extracted")
    args = parser.parse_args()

    outFile = open(args.out, 'a+')
    with open(args.evtx, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            outFile.write("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>")
            outFile.write("<Events>")
            for xml, record in evtx_file_xml_view(fh):
                xmldoc = minidom.parseString(xml)
                event_id = xmldoc.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
                if event_id == str(args.eventID):
                    outFile.write(xml)
                else:
                    continue
            outFile.write("</Events>")
Exemplo n.º 39
0
def searchEvent(buf):
    taskList = {}
    fh = FileHeader(buf, 0x0)
    for xml, Record in evtx_file_xml_view(fh):
        try:
            record      = toLxml(xml).xpath("/Event/System/EventID")[0].text
            event       = toLxml(xml).xpath("/Event/System/Task")[0].text
            ctime       = toLxml(xml).xpath("/Event/System/TimeCreated")[0].get("SystemTime")
            taskAction  = toLxml(xml).xpath("/Event/EventData/Data")
            evZro       = ''
            evOne       = ''
            evTwo       = ''
            evThr       = ''
            
            try:
                evZro = getZero(xml)
            except:
                pass
            try:
                evOne = getOne(xml)
            except: 
                pass
            try:
                evTwo = getTwo(xml)
            except: 
                pass
            try:
                evThr = getThree(xml)
            except: 
                pass
            
            if record in taskList:
                taskList[record].append([record, ctime, event, taskAction, evZro, evOne, evTwo, evThr])
            else:
                taskList[record] = [[record, ctime, event, taskAction, evZro, evOne, evTwo, evThr]]
        
        except(etree.XMLSyntaxError, IndexError) as e:
            continue
    return taskList
Exemplo n.º 40
0
def xml_records(filename):
    if args.evtx:
        with Evtx(filename) as evtx:
            for xml, record in evtx_file_xml_view(evtx.get_file_header()):
                try:
                    yield to_lxml(xml), None
                except etree.XMLSyntaxError as e:
                    yield xml, e, fh

    if args.xmls:
        with open(filename,'r') as fx:
            xdata = fx.read()
            fixdata = xdata.replace("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "").replace("</Events>", "").replace("<Events>", "")
            # fixdata = xdata.replace("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "")
            del xdata
            xml_list = fixdata.split("<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'>")
            del fixdata
            for xml in xml_list:
                if xml.startswith("<System>"):
                    try:
                        yield to_lxml("<Event>" + xml), None
                    except etree.XMLSyntaxError as e:
                        yield xml, e, fh
Exemplo n.º 41
0
__author__ = 'berluskuni'