pex7hfbnt
/
apt-hunter
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0f407f5ed6'
${ noResults }
apt-hunter/source/lib/SigmaHunter.py

564 lines
60 KiB
Raw Normal View History Unescape

ADD file via upload
5 months ago
from evtx import PyEvtxParser
import glob
import os
import re
from pathlib import Path as libPath
import pandas as pd
import json
import sqlite3
from flatten_json import flatten
import time
import multiprocessing
Alldata={'Original_Event_Log':[],'TargetObject': [], 'Channel': [], 'Computer': [], 'Correlation': [], 'EventID': [], 'EventRecordID': [], 'ProcessID': [], 'ThreadID': [], 'Keywords': [], 'Level': [], 'Opcode': [], 'Guid': [], 'Name': [], 'UserID': [], 'Task': [], 'SystemTime': [], 'Version': [], 'Status': [], 'ActivityID': [], 'Context': [], 'ErrorCode': [], 'AppId': [], 'DCName': [], 'Binary': [], 'Qualifiers': [], 'Security': [], 'Path': [], 'ScriptBlockText': [], 'param1': [], 'param2': [], 'ContextInfo': [], 'Payload': [], 'UserData': [], 'State': [], 'EventType': [], 'AccountName': [], 'ProcessName': [], 'LogonType': [], 'TaskName': [], 'Message': [], 'Provider': [], 'updateGuid': [], 'updateRevisionNumber': [], 'updateTitle': [], 'DeviceName': [], 'DeviceNameLength': [], 'ClientProcessId': [], 'PossibleCause': [], 'User': [], 'ProviderName': [], 'Query': [], 'value': [], 'Action': [], 'ApplicationPath': [], 'ModifyingApplication': [], 'Origin': [], 'Protocol': [], 'RuleName': [], 'SchemaVersion': [], 'ServiceName': [], 'Filename': [], 'PackagePath': [], 'FileNameBuffer': [], 'UserName': [], 'ShareName': [], 'NewState': [], 'Param3': [], 'EventSourceName': [], 'NumberOfGroupPolicyObjects': [], 'ProcessingMode': [], 'ProcessingTimeInMilliseconds': [], 'HostName': [], 'Ipaddress': [], 'NewTime': [], 'OldTime': [], 'HiveName': [], 'ErrorDescription': [], 'Address': [], 'AddressLength': [], 'QueryName': [], 'TSId': [], 'UserSid': [], 'DeviceTime': [], 'DeviceVersionMajor': [], 'DeviceVersionMinor': [], 'FinalStatus': [], 'ImagePath': [], 'ServiceType': [], 'StartType': [], 'ExtensionId': [], 'ExtensionName': [], 'ShutdownActionType': [], 'ShutdownEventCode': [], 'ShutdownReason': [], 'Group': [], 'IdleStateCount': [], 'Number': [], 'BootMode': [], 'BuildVersion': [], 'MajorVersion': [], 'MinorVersion': [], 'QfeVersion': [], 'ServiceVersion': [], 'StartTime': [], 'StopTime': [], 'TimeSource': [], 'Targetname': [], 'Caption': [], 'ErrorMessage': [], 'RetryMinutes': [], 'Description': [], 'Type': [], 'OperationType': [], 'CommandLine': [], 'PackageName': [], 'Data': [], 'LogonId': [], 'ServerName': [], 'ObjectName': [], 'AccessList': [], 'AccessMask': [], 'HandleId': [], 'ObjectServer': [], 'ObjectType': [], 'SubjectDomainName': [], 'SubjectLogonId': [], 'SubjectUserName': [], 'SubjectUserSid': [], 'NewProcessId': [], 'NewProcessName': [], 'ParentProcessName': [], 'TargetDomainName': [], 'TargetLogonId': [], 'TargetUserName': [], 'TargetUserSid': [], 'TokenElevationType': [], 'NewValue': [], 'ObjectValueName': [], 'OldValue': [], 'Properties': [], 'PrivilegeList': [], 'Service': [], 'AuthenticationPackageName': [], 'ImpersonationLevel': [], 'IpPort': [], 'KeyLength': [], 'LmPackageName': [], 'LogonGuid': [], 'LogonProcessName': [], 'TransmittedServices': [], 'WorkstationName': [], 'CallerProcessName': [], 'TargetSid': [], 'TaskContentNew': [], 'AuditPolicyChanges': [], 'SourceProcessId': [], 'TargetProcessId': [], 'TransactionId': [], 'TargetInfo': [], 'TargetLogonGuid': [], 'TargetServerName': [], 'Details': [], 'PackageFullName': [], 'processPath': [], 'Provider_Name': [], 'Accesses': [], 'AccountDomain': [], 'AccountExpires': [], 'AddonName': [], 'AllowedToDelegateTo': [], 'Application': [], 'AttributeLDAPDisplayName': [], 'AttributeValue': [], 'AuditSourceName': [], 'CallingProcessName': [], 'CallTrace': [], 'Company': [], 'CreationUtcTime': [], 'CurrentDirectory': [], 'DestinationAddress': [], 'DestinationHostname': [], 'DestinationIp': [], 'DestinationIsIpv6': [], 'DestinationPort': [], 'DestinationPortName': [], 'DestPort': [], 'Detail': [], 'DetectionSource': [], 'DeviceClassName': [], 'DeviceDescription': [], 'DisplayName': [], 'EngineVersion': [], 'EventSourceId': [], 'ExtraInfo': [], 'FailureCode': [], 'FailureReason': [], 'FileVersion': [], 'FilterHostProcessID': [], 'GrantedAccess': [], 'GroupDomain': [], 'GroupName': [], 'GroupSid': [], 'Hash': [], 'Hashes': [], 'HomeDirectory': [], 'HomePath': [], 'HostApplication': [], 'HostVersion': [], 'Image': [], 'ImageLoaded': [], 'Initiated': [], 'IntegrityLevel': [
mapping={'Original_Event_Log':['Original_Event_Log'],'TargetObject': ['Event_EventData_TargetObject'], 'Channel': ['Event_System_Channel', 'Event_RenderingInfo_Channel'], 'Computer': ['Event_System_Computer'], 'Correlation': ['Event_System_Correlation'], 'EventID': ['Event_System_EventID', 'Event_System_EventID_#text'], 'EventRecordID': ['Event_System_EventRecordID'], 'ProcessID': ['Event_EventData_ProcessID', 'Event_EventData_ProcessId', 'Event_System_Execution_#attributes_ProcessID', 'Event_UserData_Operation_StartedOperational_ProcessID', 'Event_UserData_DroppedLeakDiagnosisEventInfo_ProcessId', 'Event_UserData_CompatibilityFixEvent_ProcessId', 'Event_UserData_Operation_TemporaryEssStarted_Processid', 'Event_EventData_processId'], 'ThreadID': ['Event_System_Execution_#attributes_ThreadID'], 'Keywords': ['Event_System_Keywords'], 'Level': ['Event_System_Level', 'Event_RenderingInfo_Level'], 'Opcode': ['Event_System_Opcode', 'Event_RenderingInfo_Opcode'], 'Guid': ['Event_System_Provider_#attributes_Guid', 'Event_EventData_Guid'], 'Name': ['Event_EventData_name', 'Event_System_Provider_#attributes_Name', 'Event_EventData_#attributes_Name', 'Event_UserData_CertNotificationData_CertificateDetails_EKUs_EKU_#attributes_Name', 'Event_EventData_Name', 'Event_UserData_CertNotificationData_CertificateDetails_Template_#attributes_Name', 'Event_UserData_CertNotificationData_NewCertificateDetails_EKUs_EKU_#attributes_Name', 'Event_UserData_CertNotificationData_NewCertificateDetails_Template_#attributes_Name', 'Event_UserData_CertNotificationData_OldCertificateDetails_EKUs_EKU_#attributes_Name', 'Event_UserData_CertNotificationData_OldCertificateDetails_Template_#attributes_Name', 'Event_UserData_MemoryExhaustionInfo_NonPagedPoolInfo_Tag_1_Name', 'Event_UserData_MemoryExhaustionInfo_NonPagedPoolInfo_Tag_2_Name', 'Event_UserData_MemoryExhaustionInfo_NonPagedPoolInfo_Tag_3_Name', 'Event_UserData_MemoryExhaustionInfo_PagedPoolInfo_Tag_1_Name', 'Event_UserData_MemoryExhaustionInfo_PagedPoolInfo_Tag_2_Name', 'Event_UserData_MemoryExhaustionInfo_PagedPoolInfo_Tag_3_Name', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_1_Name', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_2_Name', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_3_Name', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_4_Name', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_5_Name', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_6_Name', 'Event_UserData_EventData_Name'], 'UserID': ['Event_System_Security_#attributes_UserID', 'Event_EventData_UserId'], 'Task': ['Event_System_Task', 'Event_EventData_Task', 'Event_RenderingInfo_Task'], 'SystemTime': ['Event_System_TimeCreated_#attributes_SystemTime'], 'Version': ['Event_System_Version', 'Event_EventData_Version', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_1_Version', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_2_Version', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_3_Version', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_4_Version', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_5_Version', 'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_6_Version'], 'Status': ['Event_UserData_ChangingDefaultPrinter_Status', 'Event_EventData_Status', 'Event_UserData_EventData_Status'], 'ActivityID': ['Event_System_Correlation_#attributes_ActivityID', 'Event_EventData_ActivityId'], 'Context': ['Event_UserData_LoadPluginFailed_Context', 'Event_UserData_CertNotificationData_#attributes_Context'], 'ErrorCode': ['Event_UserData_LoadPluginFailed_ErrorCode', 'Event_EventData_ErrorCode', 'Event_UserData_CbsUpdateChangeState_ErrorCode', 'Event_UserData_CbsPackageChangeState_ErrorCode', 'Event_ProcessingErrorData_ErrorCode', 'Event_EventData_errorCode'], 'AppId': ['Event_EventData_AppId', 'Event_EventData_AppID'], 'DCName': ['Event_EventData_DCName'], 'Binary': ['Event_EventData_Binary'], 'Qualifiers': ['Event_System_EventID_#attributes_Qualifiers'], 'Security': ['Event_System_Security'], 'Path': ['Event_EventData_Path'], 'S
l = multiprocessing.Lock()
included={}
DB=""
DBconn=""
def search_db(query,DB):
# Connect to the database
# conn = sqlite3.connect(DB)
# cursor = conn.cursor()
cursor = DBconn.cursor()
results=[]
# Define the query
#query = 'SELECT * FROM employees WHERE name = ?'
#query="SELECT Original_Event_Log FROM Events WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'"
#query="SELECT ImageLoaded FROM AllEvents GROUP BY ImageLoaded"
#name = 'John Doe'
# Execute the query
try:
cursor.execute(query.replace("Imphash","Hashes").replace("sha1","Hashes").replace("md5","Hashes").replace("sha256","Hashes").replace("*","Original_Event_Log,SystemTime"))
except Exception as e:
#print(f"Error {str(e)} with query : \n"+query)
return results
# Fetch the results
results = cursor.fetchall()
# Print the results
#for row in results:
# print(row)
# Close the connection
return results
def optimised_search(DB,output=""):
global DBconn
# DB = DB
# conn = sqlite3.connect(DB)
searchtime=0
# Set row factory to dict_factory
# Read the table into a pandas dataframe
df = pd.read_sql("""select * from Rules where NOT rule like '%REGEX%'""", DBconn)
# Convert the dataframe to a datatable
rules = df.to_dict('records')
# print(rules.keys())
# query=rules["rule"][0]
#tic = time.time()
Detections = {'DateTime' : [],'title': [], 'description': [], 'Original_Event_Log': [], 'status': [], 'author': [], 'tags': [],
'falsepositives': [], 'level': [], 'rule': [], 'id': [], 'filename': []}
for usecase in rules:
query = usecase["rule"]
detected_events=search_db(query, DB)
if len(detected_events) == 0:
continue
for detected in detected_events :
for field in Detections:
if field in usecase:
# print(usecase)
if isinstance(usecase[field], list):
Detections[field].append(",".join(usecase[field]))
else:
Detections[field].append(usecase[field])
else:
if field == "Original_Event_Log":
Detections['Original_Event_Log'].append(str(detected[0]))
elif field == "DateTime":
Detections['DateTime'].append(str(detected[1]))
else:
Detections[field].append(" ")
Report = pd.DataFrame(Detections)
grouped = Report['title'].value_counts()
cursor = DBconn.cursor()
writer = pd.ExcelWriter(output+'_'+'Detections.xlsx', engine='xlsxwriter', options={'encoding': 'utf-8'})
grouped.to_excel(writer, sheet_name='Result Summary')
Report.to_excel(writer, sheet_name='Detailed Report', index=False)
writer.book.use_zip64()
writer.save()
# Report.to_csv(output+'_'+'Detections.csv', index=False)
# grouped.to_csv(output+'_'+'grouped.csv')
#toc = time.time()
#print('Done in {:.4f} seconds'.format(toc - tic))
def auto_detect(path):
global input_timezone
if os.path.isdir(path):
files=list(libPath(path).rglob("*.[eE][vV][tT][xX]"))
elif os.path.isfile(path):
files=glob.glob(path)
else:
print("Issue with the path" )
return
return files
def Create_DB(db):
# Connect to SQLite database
conn = sqlite3.connect(db)
Events = pd.DataFrame(Alldata)
c = conn.cursor()
Create="CREATE TABLE IF NOT EXISTS Events ( "
for key in Alldata.keys():
Create+="\'"+key+"\'"+" TEXT COLLATE NOCASE,"
Create+="ID INTEGER, PRIMARY KEY(ID AUTOINCREMENT) )"
#print(Create)
Index="""CREATE INDEX IF NOT EXISTS "EVENTID_INDEX" ON "Events" ("EventID");"""
c.execute(Create)
c.execute(Index)
c.close()
def insert_into_db_mp(Alldata,db):
# Connect to SQLite database
conn = sqlite3.connect(db)
Events = pd.DataFrame(Alldata)
Events.to_sql(name='Events', con=conn, if_exists='append', index=False)
conn.commit()
conn.close()
Fields={}
def RulesToDB(rules_file,DB):
with open(rules_file) as f:
rules = json.load(f)
# Connect to SQLite database
conn = sqlite3.connect(DB)
c = conn.cursor()
Detections = {'title': [], 'id': [], 'status': [], 'description': [], 'author': [], 'tags': [],
'falsepositives': [], 'level': [], 'rule': [], 'filename': []}
for usecase in rules:
for field in Detections:
if field in usecase:
# print(usecase)
if isinstance(usecase[field], list):
Detections[field].append(",".join(usecase[field]))
else:
Detections[field].append(usecase[field])
else:
Detections[field].append("")
print("Number of rules "+str(len(Detections["rule"])))
Report = pd.DataFrame(Detections)
Report.to_sql('Rules', conn, if_exists='append', index=False)
conn.commit()
conn.close()
def optimised_parse_mp(file):
global checkdata
Alldata = {'Original_Event_Log': [], 'TargetObject': [], 'Channel': [], 'Computer': [], 'Correlation': [],
'EventID': [], 'EventRecordID': [], 'ProcessID': [], 'ThreadID': [], 'Keywords': [], 'Level': [],
'Opcode': [], 'Guid': [], 'Name': [], 'UserID': [], 'Task': [], 'SystemTime': [], 'Version': [],
'Status': [], 'ActivityID': [], 'Context': [], 'ErrorCode': [], 'AppId': [], 'DCName': [], 'Binary': [],
'Qualifiers': [], 'Security': [], 'Path': [], 'ScriptBlockText': [], 'param1': [], 'param2': [],
'ContextInfo': [], 'Payload': [], 'UserData': [], 'State': [], 'EventType': [], 'AccountName': [],
'ProcessName': [], 'LogonType': [], 'TaskName': [], 'Message': [], 'Provider': [], 'updateGuid': [],
'updateRevisionNumber': [], 'updateTitle': [], 'DeviceName': [], 'DeviceNameLength': [],
'ClientProcessId': [], 'PossibleCause': [], 'User': [], 'ProviderName': [], 'Query': [], 'value': [],
'Action': [], 'ApplicationPath': [], 'ModifyingApplication': [], 'Origin': [], 'Protocol': [],
'RuleName': [], 'SchemaVersion': [], 'ServiceName': [], 'Filename': [], 'PackagePath': [],
'FileNameBuffer': [], 'UserName': [], 'ShareName': [], 'NewState': [], 'Param3': [],
'EventSourceName': [], 'NumberOfGroupPolicyObjects': [], 'ProcessingMode': [],
'ProcessingTimeInMilliseconds': [], 'HostName': [], 'Ipaddress': [], 'NewTime': [], 'OldTime': [],
'HiveName': [], 'ErrorDescription': [], 'Address': [], 'AddressLength': [], 'QueryName': [], 'TSId': [],
'UserSid': [], 'DeviceTime': [], 'DeviceVersionMajor': [], 'DeviceVersionMinor': [], 'FinalStatus': [],
'ImagePath': [], 'ServiceType': [], 'StartType': [], 'ExtensionId': [], 'ExtensionName': [],
'ShutdownActionType': [], 'ShutdownEventCode': [], 'ShutdownReason': [], 'Group': [],
'IdleStateCount': [], 'Number': [], 'BootMode': [], 'BuildVersion': [], 'MajorVersion': [],
'MinorVersion': [], 'QfeVersion': [], 'ServiceVersion': [], 'StartTime': [], 'StopTime': [],
'TimeSource': [], 'Targetname': [], 'Caption': [], 'ErrorMessage': [], 'RetryMinutes': [],
'Description': [], 'Type': [], 'OperationType': [], 'CommandLine': [], 'PackageName': [], 'Data': [],
'LogonId': [], 'ServerName': [], 'ObjectName': [], 'AccessList': [], 'AccessMask': [], 'HandleId': [],
'ObjectServer': [], 'ObjectType': [], 'SubjectDomainName': [], 'SubjectLogonId': [],
'SubjectUserName': [], 'SubjectUserSid': [], 'NewProcessId': [], 'NewProcessName': [],
'ParentProcessName': [], 'TargetDomainName': [], 'TargetLogonId': [], 'TargetUserName': [],
'TargetUserSid': [], 'TokenElevationType': [], 'NewValue': [], 'ObjectValueName': [], 'OldValue': [],
'Properties': [], 'PrivilegeList': [], 'Service': [], 'AuthenticationPackageName': [],
'ImpersonationLevel': [], 'IpPort': [], 'KeyLength': [], 'LmPackageName': [], 'LogonGuid': [],
'LogonProcessName': [], 'TransmittedServices': [], 'WorkstationName': [], 'CallerProcessName': [],
'TargetSid': [], 'TaskContentNew': [], 'AuditPolicyChanges': [], 'SourceProcessId': [],
'TargetProcessId': [], 'TransactionId': [], 'TargetInfo': [], 'TargetLogonGuid': [],
'TargetServerName': [], 'Details': [], 'PackageFullName': [], 'processPath': [], 'Provider_Name': [],
'Accesses': [], 'AccountDomain': [], 'AccountExpires': [], 'AddonName': [], 'AllowedToDelegateTo': [],
'Application': [], 'AttributeLDAPDisplayName': [], 'AttributeValue': [], 'AuditSourceName': [],
'CallingProcessName': [], 'CallTrace': [], 'Company': [], 'CreationUtcTime': [], 'CurrentDirectory': [],
'DestinationAddress': [], 'DestinationHostname': [], 'DestinationIp': [], 'DestinationIsIpv6': [],
'DestinationPort': [], 'DestinationPortName': [], 'DestPort': [], 'Detail': [], 'DetectionSource': [],
'DeviceClassName': [], 'DeviceDescription': [], 'DisplayName': [], 'EngineVersion': [],
'EventSourceId': [], 'ExtraInfo': [], 'FailureCode': [], 'FailureReason': [], 'FileVersion': [],
'FilterHostProcessID': [], 'GrantedAccess': [], 'GroupDomain': [], 'GroupName': [], 'GroupSid': [],
'Hash': [], 'Hashes': [], 'HomeDirectory': [], 'HomePath': [], 'HostApplication': [], 'HostVersion': [],
'Image': [], 'ImageLoaded': [], 'Initiated': [], 'IntegrityLevel': [], 'LayerRTID': [],
'LDAPDisplayName': [], 'LogonHours': [], 'NewName': [], 'NewThreadId': [], 'NewUacValue': [],
'NotificationPackageName': [], 'ObjectClass': [], 'OldUacValue': [], 'OriginalFileName': [],
'ParentCommandLine': [], 'ParentImage': [], 'ParentProcessGuid': [], 'ParentProcessId': [],
'PasswordLastSet': [], 'PerfStateCount': [], 'PipeName': [], 'PreviousTime': [], 'PrimaryGroupId': [],
'ProcessCommandLine': [], 'ProcessGuid': [], 'Product': [], 'ProfilePath': [],
'ProtocolHostProcessID': [], 'PuaCount': [], 'PuaPolicyId': [], 'Publisher': [], 'QueryResults': [],
'QueryStatus': [], 'RelativeTargetName': [], 'ResourceManager': [], 'SAMAccountName': [],
'ScriptPath': [], 'SecurityPackageName': [], 'ServerID': [], 'ServerURL': [],
'ServicePrincipalNames': [], 'ShareLocalPath': [], 'SidHistory': [], 'Signature': [],
'SignatureStatus': [], 'Signed': [], 'SourceAddress': [], 'SourceHostname': [], 'SourceImage': [],
'SourceIp': [], 'SourceNetworkAddress': [], 'SourceIsIpv6': [], 'SourcePort': [], 'SourcePortName': [],
'SourceProcessGuid': [], 'StartAddress': [], 'StartFunction': [], 'StartModule': [], 'SubStatus': [],
'TargetFileName': [], 'TargetImage': [], 'TargetProcessAddress': [], 'TargetProcessGuid': [],
'TaskContent': [], 'TerminalSessionId': [], 'ThrottleStateCount': [], 'TicketEncryptionType': [],
'TicketOptions': [], 'UserAccountControl': [], 'UserParameters': [], 'UserPrincipalName': [],
'UserWorkstations': [], 'UtcTime': [], 'Workstation': [], 'ParentIntegrityLevel': [], 'ParentUser': []}
mapping = {'Original_Event_Log': ['Original_Event_Log'], 'TargetObject': ['Event_EventData_TargetObject'],
'Channel': ['Event_System_Channel', 'Event_RenderingInfo_Channel'],
'Computer': ['Event_System_Computer'], 'Correlation': ['Event_System_Correlation'],
'EventID': ['Event_System_EventID', 'Event_System_EventID_#text'],
'EventRecordID': ['Event_System_EventRecordID'],
'ProcessID': ['Event_EventData_ProcessID', 'Event_EventData_ProcessId',
'Event_System_Execution_#attributes_ProcessID',
'Event_UserData_Operation_StartedOperational_ProcessID',
'Event_UserData_DroppedLeakDiagnosisEventInfo_ProcessId',
'Event_UserData_CompatibilityFixEvent_ProcessId',
'Event_UserData_Operation_TemporaryEssStarted_Processid', 'Event_EventData_processId'],
'ThreadID': ['Event_System_Execution_#attributes_ThreadID'], 'Keywords': ['Event_System_Keywords'],
'Level': ['Event_System_Level', 'Event_RenderingInfo_Level'],
'Opcode': ['Event_System_Opcode', 'Event_RenderingInfo_Opcode'],
'Guid': ['Event_System_Provider_#attributes_Guid', 'Event_EventData_Guid'],
'Name': ['Event_EventData_name', 'Event_System_Provider_#attributes_Name',
'Event_EventData_#attributes_Name',
'Event_UserData_CertNotificationData_CertificateDetails_EKUs_EKU_#attributes_Name',
'Event_EventData_Name',
'Event_UserData_CertNotificationData_CertificateDetails_Template_#attributes_Name',
'Event_UserData_CertNotificationData_NewCertificateDetails_EKUs_EKU_#attributes_Name',
'Event_UserData_CertNotificationData_NewCertificateDetails_Template_#attributes_Name',
'Event_UserData_CertNotificationData_OldCertificateDetails_EKUs_EKU_#attributes_Name',
'Event_UserData_CertNotificationData_OldCertificateDetails_Template_#attributes_Name',
'Event_UserData_MemoryExhaustionInfo_NonPagedPoolInfo_Tag_1_Name',
'Event_UserData_MemoryExhaustionInfo_NonPagedPoolInfo_Tag_2_Name',
'Event_UserData_MemoryExhaustionInfo_NonPagedPoolInfo_Tag_3_Name',
'Event_UserData_MemoryExhaustionInfo_PagedPoolInfo_Tag_1_Name',
'Event_UserData_MemoryExhaustionInfo_PagedPoolInfo_Tag_2_Name',
'Event_UserData_MemoryExhaustionInfo_PagedPoolInfo_Tag_3_Name',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_1_Name',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_2_Name',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_3_Name',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_4_Name',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_5_Name',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_6_Name',
'Event_UserData_EventData_Name'],
'UserID': ['Event_System_Security_#attributes_UserID', 'Event_EventData_UserId'],
'Task': ['Event_System_Task', 'Event_EventData_Task', 'Event_RenderingInfo_Task'],
'SystemTime': ['Event_System_TimeCreated_#attributes_SystemTime'],
'Version': ['Event_System_Version', 'Event_EventData_Version',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_1_Version',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_2_Version',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_3_Version',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_4_Version',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_5_Version',
'Event_UserData_MemoryExhaustionInfo_ProcessInfo_Process_6_Version'],
'Status': ['Event_UserData_ChangingDefaultPrinter_Status', 'Event_EventData_Status',
'Event_UserData_EventData_Status'],
'ActivityID': ['Event_System_Correlation_#attributes_ActivityID', 'Event_EventData_ActivityId'],
'Context': ['Event_UserData_LoadPluginFailed_Context',
'Event_UserData_CertNotificationData_#attributes_Context'],
'ErrorCode': ['Event_UserData_LoadPluginFailed_ErrorCode', 'Event_EventData_ErrorCode',
'Event_UserData_CbsUpdateChangeState_ErrorCode',
'Event_UserData_CbsPackageChangeState_ErrorCode', 'Event_ProcessingErrorData_ErrorCode',
'Event_EventData_errorCode'], 'AppId': ['Event_EventData_AppId', 'Event_EventData_AppID'],
'DCName': ['Event_EventData_DCName'], 'Binary': ['Event_EventData_Binary'],
'Qualifiers': ['Event_System_EventID_#attributes_Qualifiers'], 'Security': ['Event_System_Security'],
'Path': ['Event_EventData_Path'], 'ScriptBlockText': ['Event_EventData_ScriptBlockText'],
'param1': ['Event_EventData_param1', 'Event_UserData_EventXML_Param1', 'Event_EventData_Param1'],
'param2': ['Event_EventData_param2', 'Event_UserData_EventXML_Param2', 'Event_EventData_Param2'],
'ContextInfo': ['Event_EventData_ContextInfo'], 'Payload': ['Event_EventData_Payload'],
'UserData': ['Event_EventData_UserData'], 'State': ['Event_EventData_State'],
'EventType': ['Event_UserData_InvalidCommitLimitExhaustion_EventType'],
'AccountName': ['Event_UserData_CertNotificationData_#attributes_AccountName',
'Event_EventData_AccountName'],
'ProcessName': ['Event_UserData_CertNotificationData_#attributes_ProcessName',
'Event_EventData_ProcessName'], 'LogonType': ['Event_EventData_LogonType'],
'TaskName': ['Event_EventData_TaskName'],
'Message': ['Event_EventData_message', 'Event_RenderingInfo_Message', 'Event_EventData_Message'],
'Provider': ['Event_RenderingInfo_Provider'], 'updateGuid': ['Event_EventData_updateGuid'],
'updateRevisionNumber': ['Event_EventData_updateRevisionNumber'],
'updateTitle': ['Event_EventData_updateTitle', 'Event_EventData_UpdateTitle'],
'DeviceName': ['Event_EventData_DeviceName', 'Event_EventData_Prop_DeviceName'],
'DeviceNameLength': ['Event_EventData_DeviceNameLength'],
'ClientProcessId': ['Event_UserData_Operation_ClientFailure_ClientProcessId'],
'PossibleCause': ['Event_UserData_Operation_ClientFailure_PossibleCause',
'Event_UserData_Operation_TemporaryEssStarted_PossibleCause'],
'User': ['Event_UserData_Operation_ClientFailure_User',
'Event_UserData_Operation_TemporaryEssStarted_User', 'Event_EventData_User',
'Event_UserData_EventXML_User'],
'ProviderName': ['Event_UserData_Operation_StartedOperational_ProviderName'],
'Query': ['Event_UserData_Operation_TemporaryEssStarted_Query'],
'value': ['Event_EventData_value', 'Event_EventData_Value'],
'Action': ['Event_EventData_Action', 'Event_UserData_CertNotificationData_Action'],
'ApplicationPath': ['Event_EventData_ApplicationPath'],
'ModifyingApplication': ['Event_EventData_ModifyingApplication'], 'Origin': ['Event_EventData_Origin'],
'Protocol': ['Event_EventData_Protocol', 'Event_EventData_protocol'],
'RuleName': ['Event_EventData_RuleName'], 'SchemaVersion': ['Event_EventData_SchemaVersion'],
'ServiceName': ['Event_EventData_ServiceName'],
'Filename': ['Event_EventData_Filename', 'Event_UserData_EventData_FileName',
'Event_EventData_FileName'], 'PackagePath': ['Event_EventData_PackagePath'],
'FileNameBuffer': ['Event_EventData_FileNameBuffer'],
'UserName': ['Event_UserData_EventData_UserName', 'Event_EventData_UserName', 'Event_EventData_userName',
'Event_EventData_Username'],
'ShareName': ['Event_UserData_EventData_ShareName', 'Event_EventData_ShareName'],
'NewState': ['Event_EventData_NewState'],
'Param3': ['Event_UserData_EventXML_Param3', 'Event_EventData_param3'],
'EventSourceName': ['Event_System_Provider_#attributes_EventSourceName'],
'NumberOfGroupPolicyObjects': ['Event_EventData_NumberOfGroupPolicyObjects'],
'ProcessingMode': ['Event_EventData_ProcessingMode'],
'ProcessingTimeInMilliseconds': ['Event_EventData_ProcessingTimeInMilliseconds'],
'HostName': ['Event_EventData_HostName'],
'Ipaddress': ['Event_EventData_Ipaddress', 'Event_EventData_IpAddress'],
'NewTime': ['Event_EventData_NewTime'], 'OldTime': ['Event_EventData_OldTime'],
'HiveName': ['Event_EventData_HiveName'], 'ErrorDescription': ['Event_EventData_ErrorDescription'],
'Address': ['Event_EventData_Address', 'Event_UserData_EventXML_Address'],
'AddressLength': ['Event_EventData_AddressLength'], 'QueryName': ['Event_EventData_QueryName'],
'TSId': ['Event_EventData_TSId'],
'UserSid': ['Event_EventData_UserSid', 'Event_UserData_EventXML_UserSid', 'Event_EventData_UserSID'],
'DeviceTime': ['Event_EventData_DeviceTime'],
'DeviceVersionMajor': ['Event_EventData_DeviceVersionMajor'],
'DeviceVersionMinor': ['Event_EventData_DeviceVersionMinor'],
'FinalStatus': ['Event_EventData_FinalStatus'], 'ImagePath': ['Event_EventData_ImagePath'],
'ServiceType': ['Event_EventData_ServiceType'], 'StartType': ['Event_EventData_StartType'],
'ExtensionId': ['Event_EventData_ExtensionId'], 'ExtensionName': ['Event_EventData_ExtensionName'],
'ShutdownActionType': ['Event_EventData_ShutdownActionType'],
'ShutdownEventCode': ['Event_EventData_ShutdownEventCode'],
'ShutdownReason': ['Event_EventData_ShutdownReason'], 'Group': ['Event_EventData_Group'],
'IdleStateCount': ['Event_EventData_IdleStateCount'],
'Number': ['Event_EventData_Number', 'Event_EventData_number'], 'BootMode': ['Event_EventData_BootMode'],
'BuildVersion': ['Event_EventData_BuildVersion'], 'MajorVersion': ['Event_EventData_MajorVersion'],
'MinorVersion': ['Event_EventData_MinorVersion'], 'QfeVersion': ['Event_EventData_QfeVersion'],
'ServiceVersion': ['Event_EventData_ServiceVersion'],
'StartTime': ['Event_EventData_StartTime', 'Event_UserData_CompatibilityFixEvent_StartTime'],
'StopTime': ['Event_EventData_StopTime'], 'TimeSource': ['Event_EventData_TimeSource'],
'Targetname': ['Event_EventData_Targetname'], 'Caption': ['Event_EventData_Caption'],
'ErrorMessage': ['Event_EventData_ErrorMessage'], 'RetryMinutes': ['Event_EventData_RetryMinutes'],
'Description': ['Event_EventData_Description'], 'Type': ['Event_EventData_Type'],
'OperationType': ['Event_EventData_OperationType'], 'CommandLine': ['Event_EventData_CommandLine'],
'PackageName': ['Event_EventData_PackageName'],
'Data': ['Event_EventData_Data', 'Event_EventData_Data_#text'], 'LogonId': ['Event_EventData_LogonId'],
'ServerName': ['Event_EventData_ServerName', 'Event_EventData_serverName'],
'ObjectName': ['Event_EventData_ObjectName'], 'AccessList': ['Event_EventData_AccessList'],
'AccessMask': ['Event_EventData_AccessMask'], 'HandleId': ['Event_EventData_HandleId'],
'ObjectServer': ['Event_EventData_ObjectServer'], 'ObjectType': ['Event_EventData_ObjectType'],
'SubjectDomainName': ['Event_EventData_SubjectDomainName'],
'SubjectLogonId': ['Event_EventData_SubjectLogonId'],
'SubjectUserName': ['Event_EventData_SubjectUserName'],
'SubjectUserSid': ['Event_EventData_SubjectUserSid'], 'NewProcessId': ['Event_EventData_NewProcessId'],
'NewProcessName': ['Event_EventData_NewProcessName'],
'ParentProcessName': ['Event_EventData_ParentProcessName'],
'TargetDomainName': ['Event_EventData_TargetDomainName'],
'TargetLogonId': ['Event_EventData_TargetLogonId'], 'TargetUserName': ['Event_EventData_TargetUserName'],
'TargetUserSid': ['Event_EventData_TargetUserSid'],
'TokenElevationType': ['Event_EventData_TokenElevationType'], 'NewValue': ['Event_EventData_NewValue'],
'ObjectValueName': ['Event_EventData_ObjectValueName'], 'OldValue': ['Event_EventData_OldValue'],
'Properties': ['Event_EventData_Properties'], 'PrivilegeList': ['Event_EventData_PrivilegeList'],
'Service': ['Event_EventData_Service'],
'AuthenticationPackageName': ['Event_EventData_AuthenticationPackageName'],
'ImpersonationLevel': ['Event_EventData_ImpersonationLevel'], 'IpPort': ['Event_EventData_IpPort'],
'KeyLength': ['Event_EventData_KeyLength'], 'LmPackageName': ['Event_EventData_LmPackageName'],
'LogonGuid': ['Event_EventData_LogonGuid'], 'LogonProcessName': ['Event_EventData_LogonProcessName'],
'TransmittedServices': ['Event_EventData_TransmittedServices'],
'WorkstationName': ['Event_EventData_WorkstationName'],
'CallerProcessName': ['Event_EventData_CallerProcessName'], 'TargetSid': ['Event_EventData_TargetSid'],
'TaskContentNew': ['Event_EventData_TaskContentNew'],
'AuditPolicyChanges': ['Event_EventData_AuditPolicyChanges'],
'SourceProcessId': ['Event_EventData_SourceProcessId'],
'TargetProcessId': ['Event_EventData_TargetProcessId'],
'TransactionId': ['Event_EventData_TransactionId'], 'TargetInfo': ['Event_EventData_TargetInfo'],
'TargetLogonGuid': ['Event_EventData_TargetLogonGuid'],
'TargetServerName': ['Event_EventData_TargetServerName'], 'Details': ['Event_EventData_Details'],
'PackageFullName': ['Event_EventData_PackageFullName'], 'processPath': ['Event_EventData_processPath'],
'Provider_Name': ['Event_System_Provider_#attributes_Name'], 'Accesses': ['Event_EventData_Accesses'],
'AccountDomain': ['Event_EventData_AccountDomain'], 'AccountExpires': ['Event_EventData_AccountExpires'],
'AddonName': ['Event_EventData_AddonName'],
'AllowedToDelegateTo': ['Event_EventData_AllowedToDelegateTo'],
'Application': ['Event_EventData_Application'],
'AttributeLDAPDisplayName': ['Event_EventData_AttributeLDAPDisplayName'],
'AttributeValue': ['Event_EventData_AttributeValue'],
'AuditSourceName': ['Event_EventData_AuditSourceName'],
'CallingProcessName': ['Event_EventData_CallingProcessName'], 'CallTrace': ['Event_EventData_CallTrace'],
'Company': ['Event_EventData_Company'], 'CreationUtcTime': ['Event_EventData_CreationUtcTime'],
'CurrentDirectory': ['Event_EventData_CurrentDirectory'],
'DestinationAddress': ['Event_EventData_DestinationAddress'],
'DestinationHostname': ['Event_EventData_DestinationHostname'],
'DestinationIp': ['Event_EventData_DestinationIp'],
'DestinationIsIpv6': ['Event_EventData_DestinationIsIpv6'],
'DestinationPort': ['Event_EventData_DestinationPort'],
'DestinationPortName': ['Event_EventData_DestinationPortName'], 'DestPort': ['Event_EventData_DestPort'],
'Detail': ['Event_EventData_Detail'], 'DetectionSource': ['Event_EventData_DetectionSource'],
'DeviceClassName': ['Event_EventData_DeviceClassName'],
'DeviceDescription': ['Event_EventData_DeviceDescription'],
'DisplayName': ['Event_EventData_DisplayName'], 'EngineVersion': ['Event_EventData_EngineVersion'],
'EventSourceId': ['Event_EventData_EventSourceId'], 'ExtraInfo': ['Event_EventData_ExtraInfo'],
'FailureCode': ['Event_EventData_FailureCode'], 'FailureReason': ['Event_EventData_FailureReason'],
'FileVersion': ['Event_EventData_FileVersion'],
'FilterHostProcessID': ['Event_EventData_FilterHostProcessID'],
'GrantedAccess': ['Event_EventData_GrantedAccess'], 'GroupDomain': ['Event_EventData_GroupDomain'],
'GroupName': ['Event_EventData_GroupName'], 'GroupSid': ['Event_EventData_GroupSid'],
'Hash': ['Event_EventData_Hash'], 'Hashes': ['Event_EventData_Hashes'],
'HomeDirectory': ['Event_EventData_HomeDirectory'], 'HomePath': ['Event_EventData_HomePath'],
'HostApplication': ['Event_EventData_HostApplication'], 'HostVersion': ['Event_EventData_HostVersion'],
'Image': ['Event_EventData_Image'], 'ImageLoaded': ['Event_EventData_ImageLoaded'],
'Initiated': ['Event_EventData_Initiated'], 'IntegrityLevel': ['Event_EventData_IntegrityLevel'],
'LayerRTID': ['Event_EventData_LayerRTID'], 'LDAPDisplayName': ['Event_EventData_LDAPDisplayName'],
'LogonHours': ['Event_EventData_LogonHours'], 'NewName': ['Event_EventData_NewName'],
'NewThreadId': ['Event_EventData_NewThreadId'], 'NewUacValue': ['Event_EventData_NewUacValue'],
'NotificationPackageName': ['Event_EventData_NotificationPackageName'],
'ObjectClass': ['Event_EventData_ObjectClass'], 'OldUacValue': ['Event_EventData_OldUacValue'],
'OriginalFileName': ['Event_EventData_OriginalFileName'],
'ParentCommandLine': ['Event_EventData_ParentCommandLine'],
'ParentImage': ['Event_EventData_ParentImage'],
'ParentProcessGuid': ['Event_EventData_ParentProcessGuid'],
'ParentProcessId': ['Event_EventData_ParentProcessId'],
'PasswordLastSet': ['Event_EventData_PasswordLastSet'],
'PerfStateCount': ['Event_EventData_PerfStateCount'], 'PipeName': ['Event_EventData_PipeName'],
'PreviousTime': ['Event_EventData_PreviousTime'], 'PrimaryGroupId': ['Event_EventData_PrimaryGroupId'],
'ProcessCommandLine': ['Event_EventData_ProcessCommandLine'],
'ProcessGuid': ['Event_EventData_ProcessGuid'], 'Product': ['Event_EventData_Product'],
'ProfilePath': ['Event_EventData_ProfilePath'],
'ProtocolHostProcessID': ['Event_EventData_ProtocolHostProcessID'],
'PuaCount': ['Event_EventData_PuaCount'], 'PuaPolicyId': ['Event_EventData_PuaPolicyId'],
'Publisher': ['Event_EventData_Publisher'], 'QueryResults': ['Event_EventData_QueryResults'],
'QueryStatus': ['Event_EventData_QueryStatus'],
'RelativeTargetName': ['Event_EventData_RelativeTargetName'],
'ResourceManager': ['Event_EventData_ResourceManager'],
'SAMAccountName': ['Event_EventData_SamAccountName'], 'ScriptPath': ['Event_EventData_ScriptPath'],
'SecurityPackageName': ['Event_EventData_SecurityPackageName'], 'ServerID': ['Event_EventData_ServerID'],
'ServerURL': ['Event_EventData_ServerURL'],
'ServicePrincipalNames': ['Event_EventData_ServicePrincipalNames'],
'ShareLocalPath': ['Event_EventData_ShareLocalPath'], 'SidHistory': ['Event_EventData_SidHistory'],
'Signature': ['Event_EventData_Signature'], 'SignatureStatus': ['Event_EventData_SignatureStatus'],
'Signed': ['Event_EventData_Signed'], 'SourceAddress': ['Event_EventData_SourceAddress'],
'SourceHostname': ['Event_EventData_SourceHostname'], 'SourceImage': ['Event_EventData_SourceImage'],
'SourceIp': ['Event_EventData_SourceIp'],
'SourceNetworkAddress': ['Event_EventData_SourceNetworkAddress'],
'SourceIsIpv6': ['Event_EventData_SourceIsIpv6'], 'SourcePort': ['Event_EventData_SourcePort'],
'SourcePortName': ['Event_EventData_SourcePortName'],
'SourceProcessGuid': ['Event_EventData_SourceProcessGuid'],
'StartAddress': ['Event_EventData_StartAddress'], 'StartFunction': ['Event_EventData_StartFunction'],
'StartModule': ['Event_EventData_StartModule'], 'SubStatus': ['Event_EventData_SubStatus'],
'TargetFileName': ['Event_EventData_TargetFilename'], 'TargetImage': ['Event_EventData_TargetImage'],
'TargetProcessAddress': ['Event_EventData_TargetProcessAddress'],
'TargetProcessGuid': ['Event_EventData_TargetProcessGuid'],
'TaskContent': ['Event_EventData_TaskContent'],
'TerminalSessionId': ['Event_EventData_TerminalSessionId'],
'ThrottleStateCount': ['Event_EventData_ThrottleStateCount'],
'TicketEncryptionType': ['Event_EventData_TicketEncryptionType'],
'TicketOptions': ['Event_EventData_TicketOptions'],
'UserAccountControl': ['Event_EventData_UserAccountControl'],
'UserParameters': ['Event_EventData_UserParameters'],
'UserPrincipalName': ['Event_EventData_UserPrincipalName'],
'UserWorkstations': ['Event_EventData_UserWorkstations'], 'UtcTime': ['Event_EventData_UtcTime'],
'Workstation': ['Event_EventData_Workstation'],
'ParentIntegrityLevel': ['Event_EventData_ParentIntegrityLevel'],
'ParentUser': ['Event_EventData_ParentUser']}
parser = PyEvtxParser(str(file))
for record in parser.records_json():
data=flatten(json.loads(record["data"]))
for key in mapping.keys():
requiredfield = "None"
for field in mapping[key]:
if field in data:
requiredfield=field
break
if requiredfield!="None":
if isinstance(data[requiredfield], list):
Alldata[key].append(",".join(data[requiredfield]))
else:
Alldata[key].append(str(data[requiredfield]))
else:
if field == "Original_Event_Log":
Alldata[key].append(record["data"])
#Alldata[key].append(None)
else:
Alldata[key].append(None)
#print("finished Parsing")
#print(Alldata)
l.acquire()
#print("Inserting data into "+DB)
insert_into_db_mp(Alldata, DB)
l.release()
print("Done Parsing : "+str(file))
def clean(DBName):
# specify the path to the file to be removed
file_path = DBName
# check if the file exists
if os.path.isfile(file_path):
# remove the file
os.remove(file_path)
print(f"Temp Database has been removed.")
else:
print(f"Temp Database does not exist.")
def init(l):
global lock
lock = l
def Sigma_Analyze(Path, rules,output, DBName="Events.sqlite"):
global l,DBconn,DB
tic_start = time.time()
DB=DBName
Create_DB(DB)
print("Analyzing logs using Sigma with below config : ")
print(f"Logs Path : {Path}\nSigma Rules file : {rules}\nProfile : {output}")
pool = multiprocessing.Pool(multiprocessing.cpu_count(), initializer=init, initargs=(l,))
files = auto_detect(Path)
results = pool.map(optimised_parse_mp, files)
RulesToDB(rules, DB)
DBconn = sqlite3.connect(DB)
optimised_search(DB,output)
clean(DBName)
DBconn.close()
toc_end = time.time()
print("Analysis results availble as CSV file with Name "+output+'_'+'Detections.csv')
print("Analysis results availble as Excel file with statistics as "+output+'_'+'Detections.xlsx')