From fb18ba3b820960389c826c35a77d6eef80ca96ee Mon Sep 17 00:00:00 2001
From: pex7hfbnt <1584881064@qq.com>
Date: Wed, 16 Oct 2024 23:33:13 +0800
Subject: [PATCH] ADD file via upload
---
source/lib/CSVDetection.py | 1948 ++++++++++++++++++++++++++++++++++++
1 file changed, 1948 insertions(+)
create mode 100644 source/lib/CSVDetection.py
diff --git a/source/lib/CSVDetection.py b/source/lib/CSVDetection.py
new file mode 100644
index 0000000..02e1204
--- /dev/null
+++ b/source/lib/CSVDetection.py
@@ -0,0 +1,1948 @@
+import csv
+import re
+from netaddr import *
+import xml.etree.ElementTree as ET
+import pandas as pd
+from datetime import datetime
+minlength=1000
+
+account_op={}
+PasswordSpray={}
+Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe']
+
+Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden']
+
+Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"]
+
+TerminalServices_Summary=[{'User':[],'Number of Logins':[]}]
+Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}]
+Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}]
+
+critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"]
+
+Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}]
+
+#=======================
+#Regex for security logs
+Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE)
+
+#Account_Name_rex = re.compile('Account Name:\t{1,15}(.*)', re.IGNORECASE)
+Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE)
+
+Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE)
+
+Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE)
+
+Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE)
+
+Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE)
+
+Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE)
+
+Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE)
+
+Process_Command_Line_rex=re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE)
+
+Group_Name_rex=re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE)
+
+Task_Name_rex=re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE)
+
+Task_Command_rex=re.compile('(.*)', re.IGNORECASE)
+
+Task_args_rex=re.compile('(.*)', re.IGNORECASE)
+
+Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE)
+
+Category_sec_rex= re.compile('Category:\t{1,15}(.*)', re.IGNORECASE)
+
+Subcategory_rex= re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE)
+
+Changes_rex= re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE)
+
+
+#=======================
+#Regex for windows defender logs
+
+Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE)
+
+Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE)
+
+Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE)
+
+Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE)
+
+Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE)
+
+Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE)
+
+Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE)
+
+#=======================
+#Regex for system logs
+
+Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE)
+Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE)
+Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE)
+Service_Account_rex = re.compile('Service Account: (.*)', re.IGNORECASE)
+Service_and_state_rex = re.compile('The (.*) service entered the (.*) state\.', re.IGNORECASE)
+StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE)
+Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE)
+
+
+#=======================
+#Regex for task scheduler logs
+task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE)
+task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE)
+task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE)
+
+
+#======================
+#Regex for powershell operational logs
+Host_Application_rex = re.compile('Host Application = (.*)')
+Command_Name_rex = re.compile('Command Name = (.*)')
+Command_Type_rex = re.compile('Command Type = (.*)')
+Engine_Version_rex = re.compile('Engine Version = (.*)')
+User_rex = re.compile('User = (.*)')
+Error_Message_rex = re.compile('Error Message = (.*)')
+
+#======================
+#Regex for powershell logs
+HostApplication_rex = re.compile('HostApplication=(.*)')
+CommandLine_rex = re.compile('CommandLine=(.*)')
+ScriptName_rex = re.compile('ScriptName=(.*)')
+EngineVersion_rex = re.compile('EngineVersion=(.*)')
+UserId_rex = re.compile('UserId=(.*)')
+ErrorMessage_rex = re.compile('ErrorMessage=(.*)')
+#======================
+#TerminalServices Local Session Manager Logs
+#Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)')
+Source_Network_Address_Terminal_rex= re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})')
+User_Terminal_rex=re.compile('User: (.*)')
+Session_ID_rex=re.compile('Session ID: (.*)')
+#======================
+#Microsoft-Windows-WinRM logs
+Connection_rex=re.compile("""The connection string is: (.*)""")
+#User_ID_rex=re.compile(""".*)\'\/><\/System>""")
+#src_device_rex=re.compile("""(?.*)<\/Computer>""")
+#======================
+#Sysmon Logs
+Sysmon_CommandLine_rex=re.compile("CommandLine: (.*)")
+Sysmon_ProcessGuid_rex=re.compile("ProcessGuid: (.*)")
+Sysmon_ProcessId_rex=re.compile("ProcessId: (.*)")
+Sysmon_Image_rex=re.compile("Image: (.*)")
+Sysmon_FileVersion_rex=re.compile("FileVersion: (.*)")
+Sysmon_Company_rex=re.compile("Company: (.*)")
+Sysmon_Product_rex=re.compile("Product: (.*)")
+Sysmon_Description_rex=re.compile("Description: (.*)")
+Sysmon_User_rex=re.compile("User: (.*)")
+Sysmon_LogonGuid_rex=re.compile("LogonGuid: (.*)")
+Sysmon_TerminalSessionId_rex=re.compile("TerminalSessionId: (.*)")
+Sysmon_Hashes_MD5_rex=re.compile("MD5=(.*),")
+Sysmon_Hashes_SHA256_rex=re.compile("SHA256=(.*)")
+Sysmon_ParentProcessGuid_rex=re.compile("ParentProcessGuid: (.*)")
+Sysmon_ParentProcessId_rex=re.compile("ParentProcessId: (.*)")
+Sysmon_ParentImage_rex=re.compile("ParentImage: (.*)")
+Sysmon_ParentCommandLine_rex=re.compile("ParentCommandLine: (.*)")
+Sysmon_CurrentDirectory_rex=re.compile("CurrentDirectory: (.*)")
+Sysmon_OriginalFileName_rex=re.compile("OriginalFileName: (.*)")
+Sysmon_TargetObject_rex=re.compile("TargetObject: (.*)")
+#########
+#Sysmon event ID 3
+Sysmon_Protocol_rex=re.compile("Protocol: (.*)")
+Sysmon_SourceIp_rex=re.compile("SourceIp: (.*)")
+Sysmon_SourceHostname_rex=re.compile("SourceHostname: (.*)")
+Sysmon_SourcePort_rex=re.compile("SourcePort: (.*)")
+Sysmon_DestinationIp_rex=re.compile("DestinationIp: (.*)")
+Sysmon_DestinationHostname_rex=re.compile("DestinationHostname: (.*)")
+Sysmon_DestinationPort_rex=re.compile("DestinationPort: (.*)")
+#########
+#Sysmon event ID 8
+Sysmon_StartFunction_rex=re.compile("StartFunction: (.*)")
+Sysmon_StartModule_rex=re.compile("StartModule: (.*)")
+Sysmon_TargetImage_rex=re.compile("TargetImage: (.*)")
+Sysmon_SourceImage_rex=re.compile("SourceImage: (.*)")
+Sysmon_SourceProcessId_rex=re.compile("SourceProcessId: (.*)")
+Sysmon_SourceProcessGuid_rex=re.compile("SourceProcessGuid: (.*)")
+Sysmon_TargetProcessGuid_rex=re.compile("TargetProcessGuid: (.*)")
+Sysmon_TargetProcessId_rex=re.compile("TargetProcessId: (.*)")
+
+
+def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False):
+ #global Logon_Type_rex,Account_Name_rex,Account_Domain_rex,Workstation_Name_rex,Source_Network_Address_rex
+ with open(file_name, newline='') as csvfile:
+
+ # list = csv.reader(csvfile,delimiter=',',quotechar='"')
+ """if winevent==True:
+ list2 = csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list2 = csv.DictReader(csvfile,
+ fieldnames=('Event ID',"MachineName","Data","Index","Category","CategoryNumber","EntryType","Details","Source","ReplacementStrings","InstanceId", 'Date and Time',"TimeWritten","UserName","Site","Container"))
+
+ """
+ if open(file_name,"r").read(1000).find("\"InstanceId\",\"TimeGenerated\"")>0:
+ list2 = csv.DictReader(csvfile,
+ fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber",
+ "EntryType", "Details", "Source", "ReplacementStrings", "InstanceId",
+ 'Date and Time', "TimeWritten", "UserName", "Site", "Container"))
+ else:
+ list2 = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ for row in list2:
+ if row['Details']==None:
+ continue
+
+ Logon_Type = Logon_Type_rex.findall(row['Details'])
+
+ Account_Name = Account_Name_rex.findall(row['Details'])
+
+ Account_Domain = Account_Domain_rex.findall(row['Details'])
+
+ Workstation_Name = Workstation_Name_rex.findall(row['Details'])
+
+ Source_IP = Source_Network_Address_rex.findall(row['Details'])
+
+ Logon_Process = Logon_Process_rex.findall(row['Details'])
+
+ Key_Length = Key_Length_rex.findall(row['Details'])
+
+ Security_ID = Security_ID_rex.findall(row['Details'])
+
+ Group_Name = Group_Name_rex.findall(row['Details'])
+
+ Task_Name=Task_Name_rex.findall(row['Details'])
+
+ Task_Command = Task_Command_rex.findall(row['Details'])
+
+ Task_args= Task_args_rex.findall(row['Details'])
+
+ Process_Name=Process_Name_sec_rex.findall(row['Details'])
+
+ Category=Category_sec_rex.findall(row['Details'])
+
+ Subcategory=Subcategory_rex.findall(row['Details'])
+
+ Changes=Changes_rex.findall(row['Details'])
+
+ Process_Command_Line = Process_Command_Line_rex.findall(row['Details'])
+ #User Cretion using Net command
+ if row['Event ID']=="4688":
+ try:
+ if len(re.findall('.*user.*/add.*',row['Details']))>0:
+ #print("test")
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("## High ## User Added using Net Command ",end='')
+ #print("User Name : ( %s ) "%Account_Name[0].strip(),end='')
+ #print("with Command Line : ( " + Process_Command_Line[0].strip()+" )")
+
+ Event_desc ="User Name : ( %s ) "%Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip()+" )"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Added using Net Command")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ #Detecting privielge Escalation using Token Elevation
+ if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line))>0:
+
+ Event_desc ="User Name : ( %s ) " % user+"conducting NAMED PIPE privilege escalation with Command Line : ( " + process_command_line + " ) "
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Suspected privielge Escalation attempt using NAMED PIPE")
+ Security_events[0]['Detection Domain'].append("Threat")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ if Process_Command_Line[0].strip().lower().find("\\temp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\tmp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\program data\\")>-1:
+ # print("test")
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("## Process running in temp ", end='')
+ #print("User Name : ( %s ) " % Account_Name[0].strip(), end='')
+ #print("with Command Line : ( " + Process_Command_Line[0].strip() + " )")
+ # print("###########")
+ Event_desc ="User Name : ( %s ) " % Account_Name[0].strip()+" with Command Line : ( " + Process_Command_Line[0].strip() + " )"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Process running in suspicious location")
+ Security_events[0]['Detection Domain'].append("Threat")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ for i in Suspicious_executables:
+
+ if Process_Command_Line[0].strip().lower().find(i.lower())>-1:
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("## Found Suspicios Process ", end='')
+ #print("User Name : ( %s ) " % Account_Name[0].strip(), end='')
+ #print("with Command Line : ( " + Process_Command_Line[0].strip() + " )")
+ # print("###########")
+ Event_desc ="User Name : ( %s ) " % Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip() + " ) contain suspicious command ( %s)"%i
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Suspicious Process Found")
+ Security_events[0]['Detection Domain'].append("Threat")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ for i in Suspicious_powershell_commands:
+
+ if Process_Command_Line[0].strip().lower().find(i.lower())>-1:
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("## Found Suspicios Process ", end='')
+ #print("User Name : ( %s ) " % Account_Name[0].strip(), end='')
+ #print("with Command Line : ( " + Process_Command_Line[0].strip() + " )")
+ # print("###########")
+ Event_desc ="User Name : ( %s ) " % Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip() + " ) contain suspicious command ( %s)"%i
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Suspicious Process Found")
+ Security_events[0]['Detection Domain'].append("Threat")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+
+ except:
+ print("Error parsing below Event \n"+row['Details'])
+
+ continue
+
+ # User Created through management interface
+ if row['Event ID']=="4720":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User Name ( " + Account_Name[0].strip() + " )", end='')
+ #print(" Created User Name ( " + Account_Name[1].strip()+ " )")
+ try:
+ Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )"
+
+ except:
+ Event_desc="User Created a new user "
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Created through management interface")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Medium")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # Windows is shutting down
+ if row['Event ID']=="4609" or row['Event ID']=="1100":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User Name ( " + Account_Name[0].strip() + " )", end='')
+ #print(" Created User Name ( " + Account_Name[1].strip()+ " )")
+
+ Event_desc="Windows is shutting down "
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Windows is shutting down")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Medium")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+
+
+ # User added to local group
+ if row['Event ID']=="4732":
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
+ #print(" to local group ( " + Group_Name[0].strip() + " )")
+
+
+ try :
+ Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )"
+ except:
+ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[
+ 1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
+
+
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User added to local group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #add user to global group
+ if row['Event ID'] == "4728":
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
+ #print(" to Global group ( " + Group_Name[0].strip() + " )")
+ try :
+ Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )"
+ except:
+ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[
+ 1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User added to global group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #add user to universal group
+ if row['Event ID'] == "4756":
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
+ Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip()
+ if len(Group_Name)>0:
+ #print(" to Universal group ( " + Group_Name[0].strip() + " )")
+ Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )"
+ else:
+ Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )"
+ #print(" to Universal group ( " + Account_Name[1].strip() + " )")
+
+
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User added to Universal group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #remove user from global group
+ if row['Event ID'] == "4729":
+
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
+ Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
+ if len(Group_Name)>0:
+ #print(") from Global group ( " + Group_Name[0].strip() + " )")
+ Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )"
+ else:
+ Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )"
+ #print(") from Global group ( " + Account_Name[1].strip() + " )")
+
+
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Removed from Global Group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #remove user from universal group
+ if row['Event ID'] == "4757":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
+ Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
+ if len(Group_Name)>0:
+ #print(") from Universal group ( " + Group_Name[0].strip() + " )")
+ Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )"
+ else:
+ #print(") from Universal group ( " + Account_Name[1].strip() + " )")
+ Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )"
+
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Removed from Universal Group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #remove user from local group
+ if row['Event ID'] == "4733":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
+ Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
+ if len(Group_Name)>0:
+ #print(") from Local group ( " + Group_Name[0].strip() + " )")
+ Event_desc = Event_desc +") from Local group ( " + Group_Name[0].strip() + " )"
+ else:
+ #print(") from Local group ( " + Account_Name[1].strip() + " )")
+ Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )"
+
+
+
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Removed from Local Group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+ #user removed group
+ if row['Event ID'] == "4730":
+ print("##### " + row['Date and Time'] + " #### ", end='')
+ print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='')
+ Event_desc ="User ( " + Account_Name[0].strip() + " ) removed Group ( "
+ if len(Group_Name)>0:
+ Event_desc = Event_desc +") from Local group ( " + Group_Name[0].strip() + " )"
+ #print(") from Local group ( " + Group_Name[0].strip() + " )")
+ else:
+ Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )"
+ #print(") from Local group ( " + Account_Name[0].strip() + " )")
+
+
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Removed Group")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #user account removed
+ if row['Event ID'] == "4726":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("User ( " + Account_Name[0].strip() + " ) removed user ", end='')
+ #print("( " + Account_Name[1].strip() + " )")
+
+ Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("User Account Removed")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Summary of process Execution
+ if row['Event ID']=="4688":
+ try:
+
+ if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']:
+ Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip())
+ Executed_Process_Summary[0]['Number of Execution'].append(1)
+ else :
+ Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1
+ except:
+ continue
+ if row['Event ID'] == "4625" :
+ try:
+ if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
+ Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
+ Security_Authentication_Summary[0]['Number of Failed Logins'].append(1)
+ Security_Authentication_Summary[0]['Number of Successful Logins'].append(0)
+ else :
+ try:
+ Security_Authentication_Summary[0]['Number of Failed Logins'][
+ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
+ Security_Authentication_Summary[0]['Number of Failed Logins'][
+ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1
+ except:
+ print("User : "+Account_Name[1].strip() + " array : ")
+ print(Security_Authentication_Summary[0])
+ except:
+ continue
+ #password spray detection
+ if row['Event ID'] == "4648" :
+ try:
+
+ if Account_Name[0].strip() not in PasswordSpray:
+ PasswordSpray[Account_Name[0].strip()]=[]
+ PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
+ #else:
+ # PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
+ if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] :
+ PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
+ except:
+ continue
+#and (Logon_Type[0].strip()=="3" or Logon_Type[0].strip()=="10" or Logon_Type[0].strip()=="2" or Logon_Type[0].strip()=="8")
+ if row['Event ID'] == "4624" :
+ try:
+ #print(Account_Name[0])
+ if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
+ Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
+ Security_Authentication_Summary[0]['Number of Successful Logins'].append(1)
+ Security_Authentication_Summary[0]['Number of Failed Logins'].append(0)
+ else :
+ Security_Authentication_Summary[0]['Number of Successful Logins'][
+ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
+ Security_Authentication_Summary[0]['Number of Successful Logins'][
+ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1
+ except:
+ continue
+ #detect pass the hash
+ if row['Event ID'] == "4625" or row['Event ID'] == "4624":
+ if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(
+ # "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
+ # Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()))
+
+ Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
+ Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected")
+ Security_events[0]['Detection Domain'].append("Threat")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Audit log cleared
+ if row['Event ID'] == "517" or row['Event ID'] == "1102":
+ """print("##### " + row['Date and Time'] + " #### ", end='')
+ print(
+ "Audit log cleared by user ( %s )" % (
+ Account_Name[0].strip()))
+ """
+ Event_desc = "Audit log cleared by user ( %s )" % (
+ Account_Name[0].strip())
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Audit log cleared")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Suspicious Attempt to enumerate users or groups
+ if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1:
+ """print("##### " + row['Date and Time'] + " #### ", end='')
+ print(
+ "Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (
+ Account_Name[0].strip(),Process_Name[0].strip()))
+ """
+ Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip())
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Medium")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #System audit policy was changed
+
+ if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" :
+ """print("##### " + row['Date and Time'] + " #### ", end='')
+ print(
+ "System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
+ Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()))
+ """
+ try :
+ Event_desc ="System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
+ except :
+ Event_desc = "System audit policy was changed by user"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("System audit policy was changed")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ #scheduled task created
+ if row['Event ID']=="4698" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+
+ #print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
+ try:
+ Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
+ except:
+ Event_desc = "schedule task created by user"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("schedule task created")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Critical")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #scheduled task deleted
+ if row['Event ID']=="1699" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+
+ #print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
+ try :
+ Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
+ except:
+ Event_desc = "schedule task deleted by user"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("schedule task deleted")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #schedule task updated
+ if row['Event ID']=="4702" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+
+ #print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
+ try:
+ Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
+ except:
+ Event_desc = "schedule task updated by user"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("schedule task updated")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Medium")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #schedule task enabled
+ if row['Event ID']=="4700" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+
+ #print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
+ try :
+ Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
+ except:
+ Event_desc = "schedule task enabled by user"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("schedule task enabled")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("Medium")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #schedule task disabled
+ if row['Event ID']=="4701" :
+ print("##### " + row['Date and Time'] + " #### ", end='')
+
+ #print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
+ try :
+ Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
+ except:
+ Event_desc = "schedule task disabled by user"
+ Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Security_events[0]['Detection Rule'].append("schedule task disabled")
+ Security_events[0]['Detection Domain'].append("Audit")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append(row['Event ID'])
+ Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ for user in PasswordSpray:
+ if len(PasswordSpray[user])>3:
+ Event_desc = "Password Spray Detected by user ( "+user+" )"
+ Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now()))
+ Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now()))
+ Security_events[0]['Detection Rule'].append("Password Spray Detected")
+ Security_events[0]['Detection Domain'].append("Threat")
+ Security_events[0]['Severity'].append("High")
+ Security_events[0]['Event Description'].append(Event_desc)
+ Security_events[0]['Event ID'].append("4648")
+ Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password sparay attack using usernames ( "+",".join(PasswordSpray[user])+" )")
+
+
+def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=False):
+ with open(file_name, newline='') as csvfile:
+ """if winevent == True:
+ list = csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties"))
+"""
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+ for row in list:
+ if row['Details']==None:
+ continue
+ Name = Name_rex.findall(row['Details'])
+ Severity = Severity_rex.findall(row['Details'])
+ Category = Category_rex.findall(row['Details'])
+ Path = Path_rex.findall(row['Details'])
+ User = Defender_User_rex.findall(row['Details'])
+ Process_Name = Process_Name_rex.findall(row['Details'])
+ Action = Action_rex.findall(row['Details'])
+
+ #Windows Defender took action against Malware
+ if row['Event ID']=="1117" or row['Event ID']=="1007" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
+ Event_desc="Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0].strip())
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware")
+ Windows_Defender_events[0]['Detection Domain'].append("Threat")
+ Windows_Defender_events[0]['Severity'].append("High")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Windows Defender failed to take action against Malware
+ if row['Event ID']=="1118" or row['Event ID']=="1008" or row['Event ID']=="1119":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
+
+ Event_desc="Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])
+
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware")
+ Windows_Defender_events[0]['Detection Domain'].append("Threat")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "1116" or row['Event ID']=="1006":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
+
+ Event_desc="Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware")
+ Windows_Defender_events[0]['Detection Domain'].append("Threat")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID']=="1013":
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0]))
+
+ Event_desc=" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0])
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender deleted history of malwares")
+ Windows_Defender_events[0]['Detection Domain'].append("Audit")
+ Windows_Defender_events[0]['Severity'].append("High")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "1015" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
+
+ Event_desc="Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender detected suspicious behavior Malware")
+ Windows_Defender_events[0]['Detection Domain'].append("Threat")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "5001" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("Windows Defender real-time protection disabled")
+
+ Event_desc="Windows Defender real-time protection disabled"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender real-time protection disabled")
+ Windows_Defender_events[0]['Detection Domain'].append("Audit")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "5004" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender real-time protection configuration changed")
+
+ Event_desc="Windows Defender real-time protection configuration changed"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender real-time protection configuration changed")
+ Windows_Defender_events[0]['Detection Domain'].append("Audit")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "5007" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender antimalware platform configuration changed")
+
+ Event_desc="Windows Defender antimalware platform configuration changed"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender antimalware platform configuration changed")
+ Windows_Defender_events[0]['Detection Domain'].append("Audit")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "5010" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print(" Windows Defender scanning for malware is disabled")
+
+ Event_desc="Windows Defender scanning for malware is disabled"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender scanning for malware is disabled")
+ Windows_Defender_events[0]['Detection Domain'].append("Audit")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ if row['Event ID'] == "5012" :
+ print("##### " + row['Date and Time'] + " #### ", end='')
+ print(" Windows Defender scanning for viruses is disabled")
+
+ Event_desc="Windows Defender scanning for viruses is disabled"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Detection Rule'].append("Windows Defender scanning for viruses is disabled")
+ Windows_Defender_events[0]['Detection Domain'].append("Audit")
+ Windows_Defender_events[0]['Severity'].append("Critical")
+ Windows_Defender_events[0]['Event Description'].append(Event_desc)
+ Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+def detect_events_scheduled_task_log(file_name='Defender-logs.csv',winevent=False):
+ with open(file_name, newline='') as csvfile:
+
+ """if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+"""
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+ for row in list:
+ if row['Details']==None:
+ continue
+ task_register=task_register_rex.match(row['Details'])
+ task_update = task_update_rex.match(row['Details'])
+ task_delete = task_delete_rex.match(row['Details'])
+
+ #schedule task registered
+ if row['Event ID']=="106" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ if task_register.group(1).strip()=="S-1-5-18" and task_register.group(2).find("\\Microsoft\\Windows\\WindowsUpdate")!=0:
+ #print("schedule task registered with Name ( %s ) by user ( NT AUTHORITY\SYSTEM ) " % (task_register.group(2)))
+ Event_desc ="schedule task registered with Name ( %s ) by user ( NT AUTHORITY\SYSTEM ) " % (task_register.group(2))
+ else:
+ #print("schedule task registered with Name ( %s ) by user ( %s ) " % (
+ # task_register.group(2), task_register.group(1)))
+ Event_desc ="schedule task registered with Name ( %s ) by user ( %s ) " % (task_register.group(2), task_register.group(1))
+
+
+ ScheduledTask_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ ScheduledTask_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ ScheduledTask_events[0]['Detection Rule'].append("schedule task registered")
+ ScheduledTask_events[0]['Detection Domain'].append("Audit")
+ ScheduledTask_events[0]['Severity'].append("High")
+ ScheduledTask_events[0]['Event Description'].append(Event_desc)
+ ScheduledTask_events[0]['Schedule Task Name'].append(task_register.group(2))
+ ScheduledTask_events[0]['Event ID'].append(row['Event ID'])
+ ScheduledTask_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #schedule task updated
+ if row['Event ID']=="140" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ if task_update.group(1).strip()=="S-1-5-18" and task_update.group(2).find("\\Microsoft\\Windows\\WindowsUpdate")!=0:
+ #print("schedule task updated with Name ( %s ) by user ( NT AUTHORITY\SYSTEM ) " % (task_update.group(2)))
+ Event_desc ="schedule task updated with Name ( %s ) by user ( NT AUTHORITY\SYSTEM ) " % (task_update.group(2))
+ else:
+ #print("schedule task updated with Name ( %s ) by user ( %s ) " % (
+ # task_update.group(2), task_update.group(1)))
+ Event_desc ="schedule task updated with Name ( %s ) by user ( %s ) " % (
+ task_update.group(2), task_update.group(1))
+
+ ScheduledTask_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ ScheduledTask_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ ScheduledTask_events[0]['Detection Rule'].append("schedule task updated")
+ ScheduledTask_events[0]['Detection Domain'].append("Audit")
+ ScheduledTask_events[0]['Severity'].append("Medium")
+ ScheduledTask_events[0]['Event Description'].append(Event_desc)
+ ScheduledTask_events[0]['Event ID'].append(row['Event ID'])
+ ScheduledTask_events[0]['Schedule Task Name'].append(task_update.group(2))
+ ScheduledTask_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # schedule task deleted
+ if row['Event ID']=="141" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ if task_delete.group(1).strip()=="S-1-5-18" and task_delete.group(2).find("\\Microsoft\\Windows\\WindowsUpdate")!=0:
+ #print("schedule task deleted with Name ( %s ) by user ( NT AUTHORITY\SYSTEM ) " % (task_delete.group(2)))
+ Event_desc ="schedule task deleted with Name ( %s ) by user ( NT AUTHORITY\SYSTEM ) " % (task_delete.group(2))
+ else:
+ #print("schedule task deleted with Name ( %s ) by user ( %s ) " % (
+ #task_delete.group(2), task_delete.group(1)))
+ Event_desc ="schedule task deleted with Name ( %s ) by user ( %s ) " % (task_delete.group(2), task_delete.group(1))
+
+ ScheduledTask_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ ScheduledTask_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ ScheduledTask_events[0]['Detection Rule'].append("schedule task deleted")
+ ScheduledTask_events[0]['Detection Domain'].append("Audit")
+ ScheduledTask_events[0]['Severity'].append("High")
+ ScheduledTask_events[0]['Event Description'].append(Event_desc)
+ ScheduledTask_events[0]['Schedule Task Name'].append(task_delete.group(2))
+ ScheduledTask_events[0]['Event ID'].append(row['Event ID'])
+ ScheduledTask_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+def detect_events_system_log(file_name='system-logs.csv',winevent=False):
+
+ with open(file_name, newline='') as csvfile:
+
+ """if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+"""
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+
+ for row in list:
+ if row['Details']==None:
+ continue
+ Service_Account = Service_Account_rex.findall(row['Details'])
+ Service_File_Name = Service_File_Name_rex.findall(row['Details'])
+ Service_Type = Service_Type_rex.findall(row['Details'])
+ Service_Name = Service_Name_rex.findall(row['Details'])
+ Service_and_state=Service_and_state_rex.findall(row['Details'])
+ Service_Start_Type=Service_Start_Type_rex.findall(row['Details'])
+ Start_Type_Service_Name=StartType_rex.findall(row['Details'])
+
+ # System Logs cleared
+ if (row['Event ID']=="104") :
+ Event_desc="System Logs Cleared"
+ #System_events[0]['Date and Time'].append(datetime.strptime(record["timestamp"],'%Y-%m-%d %I:%M:%S.%f %Z').isoformat())
+ System_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ System_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ System_events[0]['Detection Rule'].append(
+ "System Logs Cleared")
+ System_events[0]['Detection Domain'].append("Audit")
+ System_events[0]['Severity'].append("Critical")
+ System_events[0]['Service Name'].append("N/A")
+ System_events[0]['Event Description'].append(Event_desc)
+ System_events[0]['Event ID'].append(row['Event ID'])
+ System_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ if (row['Event ID']=="7045" or row['Event ID']=="601") and (row['Details'].strip().find("\\temp\\") > -1 or row['Details'].strip().find(
+ "\\tmp\\") > -1):
+ Event_desc="Service Installed with executable in TEMP Folder"
+ System_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ System_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ System_events[0]['Detection Rule'].append(
+ "Service Installed with executable in TEMP Folder ")
+ System_events[0]['Detection Domain'].append("Threat")
+ System_events[0]['Service Name'].append(Service_Name[0].strip())
+ System_events[0]['Severity'].append("Critical")
+ System_events[0]['Event Description'].append(Event_desc)
+ System_events[0]['Event ID'].append(row['Event ID'])
+ System_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ #Service installed in the system
+ if row['Event ID']=="7045" or row['Event ID']=="601" :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("Service installed in the system with Name ( %s ) , File Name ( %s ) , Service Type ( %s ) , Service Start Type ( %s ) , Service Account ( %s )"%(Service_Name[0].strip(),Service_File_Name[0].strip(),Service_Type[0].strip(),Service_Start_Type[0].strip(),Service_Account[0]))
+
+
+ Event_desc="Service installed in the system with Name ( %s ) , File Name ( %s ) , Service Type ( %s ) , Service Start Type ( %s ) , Service Account ( %s )"%(Service_Name[0].strip(),Service_File_Name[0].strip(),Service_Type[0].strip(),Service_Start_Type[0].strip(),Service_Account[0])
+ System_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ System_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ System_events[0]['Detection Rule'].append("Service installed in the system")
+ System_events[0]['Detection Domain'].append("Audit")
+ System_events[0]['Severity'].append("High")
+ System_events[0]['Service Name'].append(Service_Name[0].strip())
+ System_events[0]['Event Description'].append(Event_desc)
+ System_events[0]['Event ID'].append(row['Event ID'])
+ System_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # Service entered new state
+ #if (row['Event ID']=="7036" or row['Event ID']=="7040") and Service_and_state[0][0].strip() in critical_services and ( Service_and_state[0][1].strip()=="stopped" or Service_and_state[0][1].strip()=="disabled" ) :
+ if row['Event ID']=="7036" and Service_and_state[0][0].strip() in critical_services and ( Service_and_state[0][1].strip()=="stopped" or Service_and_state[0][1].strip()=="disabled" ) :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("Service with Name ( %s ) entered ( %s ) state "%(Service_and_state.group(1),Service_and_state.group(2)))
+ #print(str(row['Details']).replace("\r"," "))
+ Event_desc="Service with Name ( %s ) entered ( %s ) state "%(Service_and_state[0][1].strip(),Service_and_state[0][1].strip())
+ System_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ System_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ System_events[0]['Detection Rule'].append("Service State Changed")
+ System_events[0]['Detection Domain'].append("Audit")
+ System_events[0]['Severity'].append("Medium")
+ System_events[0]['Service Name'].append(Service_and_state[0][1].strip())
+ System_events[0]['Event Description'].append(Event_desc)
+ System_events[0]['Event ID'].append(row['Event ID'])
+ System_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Service Start Type Changed
+ if (row['Event ID']=="7040" ) :
+ #print("##### " + row['Date and Time'] + " #### ", end='')
+ #print("Service with Name ( %s ) entered ( %s ) state "%(Service_and_state.group(1),Service_and_state.group(2)))
+ #print(str(row['Details']).replace("\r"," "))
+ Event_desc="Service with Name ( %s ) changed start type"%(Start_Type_Service_Name[0].strip())
+ System_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ System_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ System_events[0]['Detection Rule'].append("Service Start Type Changed")
+ System_events[0]['Detection Domain'].append("Audit")
+ System_events[0]['Severity'].append("Medium")
+ System_events[0]['Service Name'].append(Start_Type_Service_Name[0].strip())
+ System_events[0]['Event Description'].append(Event_desc)
+ System_events[0]['Event ID'].append(row['Event ID'])
+ System_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+
+def detect_events_powershell_operational_log(file_name='powershell-logs.csv',winevent=False):
+
+ with open(file_name, newline='') as csvfile:
+
+ """
+ if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+ """
+
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+ for row in list:
+ if row['Details']==None:
+ continue
+ Host_Application = Host_Application_rex.findall(row['Details'])
+ User =User_rex.findall(row['Details'])
+ Engine_Version = Engine_Version_rex.findall(row['Details'])
+ Command_Name = Command_Name_rex.findall(row['Details'])
+ Command_Type = Command_Type_rex.findall(row['Details'])
+ Error_Message = Error_Message_rex.findall(row['Details'])
+ Suspicious=[]
+ host_app=""
+
+ if row['Details'].strip().find("\\temp\\") > -1 or row['Details'].strip().find(
+ "\\tmp\\") > -1:
+ Event_desc="Powershell Operation including TEMP Folder"
+ Powershell_Operational_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_Operational_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_Operational_events[0]['Detection Rule'].append(
+ "Powershell Module logging - Operation including TEMP folder ")
+ Powershell_Operational_events[0]['Detection Domain'].append("Threat")
+ Powershell_Operational_events[0]['Severity'].append("High")
+ Powershell_Operational_events[0]['Event Description'].append(Event_desc)
+ Powershell_Operational_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_Operational_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+
+ #Powershell Module logging will record portions of scripts, some de-obfuscated code
+ if row['Event ID']=="4103" :
+ if len(Host_Application) == 0:
+ host_app = ""
+ else:
+ host_app = Host_Application[0].strip()
+ for i in Suspicious_powershell_commands:
+ if i in row['Details']:
+ Suspicious.append(i)
+
+ if len(Suspicious)>0:
+ #print("##### " + row['Date and Time'] + " #### EventID=4103 ### Powershell Module logging #### ", end='')
+ #print("Found User ("+User[0].strip()+") run Suspicious PowerShell commands that include ("+",".join(Suspicious)+") in event with Command Name ("+Command_Name[0].strip()+") and full command ("+Host_Application[0].strip()+") ", end='')#, check event details "+row['Details'])
+ Event_desc = "Found User (" + User[
+ 0].strip() + ") run Suspicious PowerShell commands that include (" + ",".join(
+ Suspicious) + ") in event with Command Name (" + Command_Name[
+ 0].strip() + ") and full command (" + host_app + ") "
+
+ if len(Error_Message)>0:
+ #print("Error Message ("+Error_Message[0].strip()+")")
+ Event_desc =Event_desc+"Error Message ("+Error_Message[0].strip()+")"
+ #else:
+ #print("")
+
+ Powershell_Operational_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_Operational_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_Operational_events[0]['Detection Rule'].append("Powershell Module logging - Malicious Commands Detected")
+ Powershell_Operational_events[0]['Detection Domain'].append("Threat")
+ Powershell_Operational_events[0]['Severity'].append("Critical")
+ Powershell_Operational_events[0]['Event Description'].append(Event_desc)
+ Powershell_Operational_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_Operational_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ Suspicious = []
+ #captures powershell script block Execute a Remote Command
+ if row['Event ID']=="4104" or row['Event ID']=="24577" :
+ for i in Suspicious_powershell_commands:
+ if i in row['Details']:
+ Suspicious.append(i)
+
+ if len(Suspicious)>0:
+ #print("##### " + row['Date and Time'] + " #### EventID=4104 #### powershell script block ####", end='')
+ #print("Found Suspicious PowerShell commands that include ("+",".join(Suspicious)+") , check event details "+row['Details'])
+
+ Event_desc ="Found Suspicious PowerShell commands that include ("+",".join(Suspicious)+") , check event details "+row['Details']
+ Powershell_Operational_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_Operational_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_Operational_events[0]['Detection Rule'].append("powershell script block - Found Suspicious PowerShell commands ")
+ Powershell_Operational_events[0]['Detection Domain'].append("Threat")
+ Powershell_Operational_events[0]['Severity'].append("Critical")
+ Powershell_Operational_events[0]['Event Description'].append(Event_desc)
+ Powershell_Operational_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_Operational_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+ Suspicious = []
+
+ #capture PowerShell ISE Operation
+ if row['Event ID']=="24577" :
+ for i in Suspicious_powershell_commands:
+ if i in row['Details']:
+ Suspicious.append(i)
+
+ if len(Suspicious)>0:
+ #print("##### " + row['Date and Time'] + " #### EventID=4104 #### PowerShell ISE Operation #### ", end='')
+ #print("Found Suspicious PowerShell commands that include ("+",".join(Suspicious)+") , check event details "+row['Details'])
+
+
+ Event_desc ="Found Suspicious PowerShell commands that include ("+",".join(Suspicious)+") , check event details "+row['Details']
+ Powershell_Operational_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_Operational_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_Operational_events[0]['Detection Rule'].append("PowerShell ISE Operation - Found Suspicious PowerShell commands")
+ Powershell_Operational_events[0]['Detection Domain'].append("Threat")
+ Powershell_Operational_events[0]['Severity'].append("Critical")
+ Powershell_Operational_events[0]['Event Description'].append(Event_desc)
+ Powershell_Operational_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_Operational_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ Suspicious = []
+
+ #Executing Pipeline
+ if row['Event ID']=="4100":
+ if len(Host_Application) == 0:
+ host_app = ""
+ else:
+ host_app = Host_Application[0].strip()
+ for i in Suspicious_powershell_commands:
+ if row['Details'].find(i)>-1:
+ Suspicious.append(i)
+ if len(Suspicious)>0:
+ #print("##### " + row['Date and Time'] + " #### EventID=4100 #### Executing Pipeline ####", end='')
+ #print("Found User ("+User[0].strip()+") run Suspicious PowerShell commands that include ("+",".join(Suspicious)+") in event with Command Name ("+Command_Name[0].strip()+") and full command ("+Host_Application[0].strip()+") ", end='')#, check event details "+row['Details'])
+ Event_desc = "Found User (" + User[
+ 0].strip() + ") run Suspicious PowerShell commands that include (" + ",".join(
+ Suspicious) + ") in event with Command Name (" + Command_Name[
+ 0].strip() + ") and full command (" + host_app + ") "
+
+ if len(Error_Message)>0:
+ #print(Error_Message[0].strip())
+ Event_desc = Event_desc + "Error Message (" + Error_Message[0].strip() + ")"
+ #else:
+ #print("")
+ Powershell_Operational_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_Operational_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_Operational_events[0]['Detection Rule'].append("Powershell Executing Pipeline - Suspicious Powershell Commands detected")
+ Powershell_Operational_events[0]['Detection Domain'].append("Threat")
+ Powershell_Operational_events[0]['Severity'].append("Critical")
+ Powershell_Operational_events[0]['Event Description'].append(Event_desc)
+ Powershell_Operational_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_Operational_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ else:
+ #print("##### " + row['Date and Time'] + " #### EventID=4100 #### Executing Pipeline #### ", end='')
+ #print("Found User ("+User[0].strip()+") run PowerShell with Command Name ("+Command_Name[0].strip()+") and full command ("+Host_Application[0].strip()+") ", end='')#, check event details "+row['Details'])
+ Event_desc = "Found User (" + User[0].strip() + ") run PowerShell with Command Name (" + \
+ Command_Name[0].strip() + ") and full command (" + host_app + ") "
+ if len(Error_Message)>0:
+ #print("Error Message ("+Error_Message[0].strip()+")")
+ Event_desc = Event_desc + "Error Message ("+Error_Message[0].strip()+")"
+ #else:
+ #print("")
+
+ Powershell_Operational_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_Operational_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_Operational_events[0]['Detection Rule'].append("Powershell Executing Pipeline - User Powershell Commands ")
+ Powershell_Operational_events[0]['Detection Domain'].append("Audit")
+ Powershell_Operational_events[0]['Severity'].append("High")
+ Powershell_Operational_events[0]['Event Description'].append(Event_desc)
+ Powershell_Operational_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_Operational_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+ Suspicious = []
+
+
+def detect_events_powershell_log(file_name='powershell-logs.csv',winevent=False):
+
+ with open(file_name, newline='') as csvfile:
+
+ """if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+ """
+
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+
+ for row in list:
+ if row['Details']==None:
+ continue
+ Host_Application = HostApplication_rex.findall(row['Details'])
+ User =UserId_rex.findall(row['Details'])
+ Engine_Version = EngineVersion_rex.findall(row['Details'])
+ ScriptName = ScriptName_rex.findall(row['Details'])
+ CommandLine= CommandLine_rex.findall(row['Details'])
+ Error_Message = ErrorMessage_rex.findall(row['Details'])
+ Suspicious=[]
+ #Powershell Pipeline Execution details
+ host_app=""
+
+ if row['Details'].strip().find("\\temp\\") > -1 or row['Details'].strip().find(
+ "\\tmp\\") > -1:
+ Event_desc="Powershell Operation including TEMP Folder"
+ Powershell_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_events[0]['Detection Rule'].append(
+ "Powershell Executing Pipeline - Operation including TEMP folder ")
+ Powershell_events[0]['Detection Domain'].append("Threat")
+ Powershell_events[0]['Severity'].append("High")
+ Powershell_events[0]['Event Description'].append(Event_desc)
+ Powershell_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+
+ if row['Event ID']=="800" :
+ if len(Host_Application) == 0:
+ host_app = ""
+ else:
+ host_app = Host_Application[0].strip()
+ for i in Suspicious_powershell_commands:
+ if i in row['Details']:
+ Suspicious.append(i)
+
+ if len(Suspicious)>0:
+ #print("##### " + row['Date and Time'] + " #### EventID=800 ### Powershell Pipeline Execution details #### ", end='')
+ #print("Found User ("+User[0].strip()+") run Suspicious PowerShell commands that include ("+",".join(Suspicious)+") in event with Command Line ("+CommandLine[0].strip()+") and full command ("+Host_Application[0].strip()+") ", end='')#, check event details "+row['Details'])
+ Event_desc ="Found User ("+User[0].strip()+") run Suspicious PowerShell commands that include ("+",".join(Suspicious)+") in event with Command Line ("+CommandLine[0].strip()+") and full command ("+host_app+") "
+ if len(Error_Message)>0:
+ Event_desc = Event_desc +"Error Message ("+Error_Message[0].strip()+")"
+ #print("Error Message ("+Error_Message[0].strip()+")")
+ #else:
+ # print("")
+
+ Powershell_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_events[0]['Detection Rule'].append("Powershell Executing Pipeline - Suspicious Powershell Commands detected")
+ Powershell_events[0]['Detection Domain'].append("Threat")
+ Powershell_events[0]['Severity'].append("Critical")
+ Powershell_events[0]['Event Description'].append(Event_desc)
+ Powershell_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ Suspicious = []
+
+ if row['Event ID']=="600" or row['Event ID']=="400" or row['Event ID']=="403" :
+ if len(Host_Application) == 0:
+ host_app = ""
+ else:
+ host_app = Host_Application[0].strip()
+ for i in Suspicious_powershell_commands:
+ if i in row['Details']:
+ Suspicious.append(i)
+
+ if len(Suspicious)>0:
+ #print("##### " + row['Date and Time'] + " #### EventID="+row['Event ID'].strip()+" ### Engine state is changed #### ", end='')
+ #print("Found Suspicious PowerShell commands that include ("+",".join(Suspicious)+") in event with Command Line ("+CommandLine[0].strip()+") and full command ("+Host_Application[0].strip()+") ", end='')#, check event details "+row['Details'])
+ Event_desc ="Found Suspicious PowerShell commands that include (" + ",".join(
+ Suspicious) + ") in event with Command Line (" + CommandLine[
+ 0].strip() + ") and full command (" + host_app + ") "
+
+ if len(Error_Message)>0:
+ Event_desc = Event_desc + "Error Message (" + Error_Message[0].strip() + ")"
+ #print("Error Message ("+Error_Message[0].strip()+")")
+ #else:
+ # print("")
+ Powershell_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_events[0]['Detection Rule'].append("Suspicious PowerShell commands Detected")
+ Powershell_events[0]['Detection Domain'].append("Threat")
+ Powershell_events[0]['Severity'].append("Critical")
+ Powershell_events[0]['Event Description'].append(Event_desc)
+ Powershell_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+ Suspicious = []
+
+
+ if row['Event ID']!="600" and row['Event ID']!="400" or row['Event ID']!="403" or row['Event ID']!="800":
+ for i in Suspicious_powershell_commands:
+ if i in row['Details']:
+ Suspicious.append(i)
+
+ if len(Suspicious)>0:
+ Event_desc ="Found Suspicious PowerShell commands that include (" + ",".join(Suspicious) + ") in event "
+ Powershell_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Powershell_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Powershell_events[0]['Detection Rule'].append("Suspicious PowerShell commands Detected")
+ Powershell_events[0]['Detection Domain'].append("Threat")
+ Powershell_events[0]['Severity'].append("Critical")
+ Powershell_events[0]['Event Description'].append(Event_desc)
+ Powershell_events[0]['Event ID'].append(row['Event ID'])
+ Powershell_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Suspicious = []
+def detect_events_TerminalServices_LocalSessionManager_log(file_name='powershell-logs.csv',winevent=False):
+
+ with open(file_name, newline='') as csvfile:
+
+ """if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ """
+
+
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+
+ for row in list:
+ if row['Details']==None:
+ continue
+
+ User =User_Terminal_rex.findall(row['Details'])
+ Source_Network_Address=Source_Network_Address_Terminal_rex.findall(row['Details'])
+
+ if (row['Event ID']=="21" or row['Event ID']=="25" ) :
+ if User[0].strip() not in TerminalServices_Summary[0]['User']:
+ TerminalServices_Summary[0]['User'].append(User[0].strip())
+ TerminalServices_Summary[0]['Number of Logins'].append(1)
+ else :
+ TerminalServices_Summary[0]['Number of Logins'][TerminalServices_Summary[0]['User'].index(User[0].strip())]=TerminalServices_Summary[0]['Number of Logins'][TerminalServices_Summary[0]['User'].index(User[0].strip())]+1
+
+
+ # Remote Desktop Services: Session logon succeeded
+ if row['Event ID']=="21" or row['Event ID']=="25" :
+ #print(Source_Network_Address[0][0])
+ #print(len(Source_Network_Address))
+ if len(Source_Network_Address)>0:
+ #print(IPAddress(Source_Network_Address[0][0].strip()).is_private())
+ if Source_Network_Address[0][0].strip()=="127.0.0.1":
+ #print("##### " + row['Date and Time'] + " #### EventID=" + row['Event ID'].strip() + " ### Remote Desktop Services: Session logon succeeded: #### ", end='')
+ #print("Found User ("+User[0].strip()+") connecting from Local Host ( 127.0.0.1 ) which means attacker is using tunnel to connect RDP ")
+
+ Event_desc ="Found User ("+User[0].strip()+") connecting from Local Host ( 127.0.0.1 ) which means attacker is using tunnel to connect RDP "
+ TerminalServices_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ TerminalServices_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ TerminalServices_events[0]['Detection Rule'].append("User connected RDP from Local host - Possible Socks Proxy being used")
+ TerminalServices_events[0]['Detection Domain'].append("Threat")
+ TerminalServices_events[0]['Severity'].append("Critical")
+ TerminalServices_events[0]['Event Description'].append(Event_desc)
+ TerminalServices_events[0]['Event ID'].append(row['Event ID'])
+ TerminalServices_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ try:
+ if Source_Network_Address[0][0].strip()!="127.0.0.1" and not IPAddress(Source_Network_Address[0][0].strip()).is_private():
+ #print("##### " + row['Date and Time'] + " #### EventID=" + row['Event ID'].strip() + " ### Remote Desktop Services: Session logon succeeded: #### ", end='')
+ #print("Found User ("+User[0].strip()+") connecting from public IP (" +Source_Network_Address[0][0].strip()+") ")
+
+ Event_desc ="Found User ("+User[0].strip()+") connecting from public IP (" +Source_Network_Address[0][0].strip()+") "
+ TerminalServices_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ TerminalServices_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ TerminalServices_events[0]['Detection Rule'].append("User Connecting RDP from Public IP")
+ TerminalServices_events[0]['Detection Domain'].append("Audit")
+ TerminalServices_events[0]['Severity'].append("Critical")
+ TerminalServices_events[0]['Event Description'].append(Event_desc)
+ TerminalServices_events[0]['Event ID'].append(row['Event ID'])
+ TerminalServices_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+ except:
+ continue
+
+def detect_events_Microsoft_Windows_WinRM_CSV_log(file_name='powershell-logs.csv',winevent=False):
+
+ with open(file_name, newline='') as csvfile:
+ """
+ if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+
+ """
+
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+
+ for row in list:
+ if row['Details']==None:
+ continue
+
+ Connection=Connection_rex.findall(row['Details'])
+ #src_device=src_device_rex.findall(row['Details'])
+ #User_ID=User_ID_rex.findall(row['Details'])
+
+ #connection is initiated using WinRM - Powershell remoting
+ if row['Event ID']=="6":
+
+ #print("##### " + row['Date and Time'] + " #### EventID=" + row['Event ID'].strip() + " ### connection is initiated using WinRM from this machine - Powershell remoting #### ", end='')
+ #print("User Connected to ("+ Connection[0].strip() +") using WinRM - powershell remote ")
+ Event_desc="User Connected to ("+ Connection[0].strip() +") using WinRM - powershell remote "
+ WinRM_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ WinRM_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ WinRM_events[0]['Detection Rule'].append("connection is initiated using WinRM from this machine - Powershell remoting")
+ WinRM_events[0]['Detection Domain'].append("Audit")
+ WinRM_events[0]['Severity'].append("High")
+ WinRM_events[0]['Event Description'].append(Event_desc)
+ WinRM_events[0]['Event ID'].append(row['Event ID'])
+ WinRM_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ if row['Event ID']=="91":
+
+ #print("##### " + row['Date and Time'] + " #### EventID=" + row['Event ID'].strip() + " ### connection is initiated using WinRM to this machine - Powershell remoting #### ", end='')
+ #print("User Connected to this machine using WinRM - powershell remote - check the system logs for more information")
+
+ Event_desc="User Connected to remote machine using WinRM - powershell remote - check eventlog viewer"
+ WinRM_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ WinRM_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ WinRM_events[0]['Detection Rule'].append("connection is initiated using WinRM to this machine - Powershell remoting")
+ WinRM_events[0]['Detection Domain'].append("Audit")
+ WinRM_events[0]['Severity'].append("High")
+ WinRM_events[0]['Event Description'].append(Event_desc)
+ WinRM_events[0]['Event ID'].append(row['Event ID'])
+ WinRM_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+def detect_events_Microsoft_Windows_WinRM_XML_log(file_name='powershell-logs.csv'):
+
+ root = ET.parse('winrm.xml').getroot()
+ #print(root)
+ for i in root:
+ #print(i.attrib)
+
+ #for d in i.findall("{http://schemas.microsoft.com/win/2004/08/events/event}EventData"):
+ # for x in d:
+ # print(x)
+ for d in i.findall("{http://schemas.microsoft.com/win/2004/08/events/event}System"):
+ if d.find('{http://schemas.microsoft.com/win/2004/08/events/event}EventID').text=="6":
+ try:
+ print("##### " + d.find('{http://schemas.microsoft.com/win/2004/08/events/event}TimeCreated').attrib['SystemTime'] + " #### EventID= " +d.find('{http://schemas.microsoft.com/win/2004/08/events/event}EventID').text +" ### connection is initiated using WinRM - Powershell remoting ##### User with ID ("+d.find('{http://schemas.microsoft.com/win/2004/08/events/event}Security').attrib['UserID']+") is connecting from current machine ("+d.find('{http://schemas.microsoft.com/win/2004/08/events/event}Computer').text +") to ("+ i.find("{http://schemas.microsoft.com/win/2004/08/events/event}EventData").find("{http://schemas.microsoft.com/win/2004/08/events/event}Data").text +") using WinRM - powershell remote " )
+
+ Event_desc = "##### " + d.find('{http://schemas.microsoft.com/win/2004/08/events/event}TimeCreated').attrib['SystemTime'] + " #### EventID= " +d.find('{http://schemas.microsoft.com/win/2004/08/events/event}EventID').text +" ### connection is initiated using WinRM - Powershell remoting ##### User with ID ("+d.find('{http://schemas.microsoft.com/win/2004/08/events/event}Security').attrib['UserID']+") is connecting from current machine ("+d.find('{http://schemas.microsoft.com/win/2004/08/events/event}Computer').text +") to ("+ i.find("{http://schemas.microsoft.com/win/2004/08/events/event}EventData").find("{http://schemas.microsoft.com/win/2004/08/events/event}Data").text +") using WinRM - powershell remote "
+ WinRM_events[0]['Date and Time'].append(d.find('{http://schemas.microsoft.com/win/2004/08/events/event}TimeCreated').attrib['SystemTime'])
+ WinRM_events[0]['Detection Rule'].append(
+ "connection is initiated using WinRM from this machine - Powershell remoting")
+ WinRM_events[0]['Detection Domain'].append("Audit")
+ WinRM_events[0]['Severity'].append("High")
+ WinRM_events[0]['Event Description'].append(Event_desc)
+ WinRM_events[0]['Event ID'].append(d.find('{http://schemas.microsoft.com/win/2004/08/events/event}EventID').text)
+ WinRM_events[0]['Original Event Log'].append("check the logs")
+ except:
+ continue
+
+ if d.find('{http://schemas.microsoft.com/win/2004/08/events/event}EventID').text=="91":
+ try:
+ print("##### " + d.find('{http://schemas.microsoft.com/win/2004/08/events/event}TimeCreated').attrib['SystemTime'] + " #### EventID= " +d.find('{http://schemas.microsoft.com/win/2004/08/events/event}EventID').text +" ### connection is initiated using WinRM - Powershell remoting ##### User with ID ("+d.find('{http://schemas.microsoft.com/win/2004/08/events/event}Security').attrib['UserID']+") connected to current machine ("+d.find('{http://schemas.microsoft.com/win/2004/08/events/event}Computer').text +") using WinRM - powershell remote " )
+ except:
+ continue
+
+
+
+def detect_events_Sysmon_log(file_name='sysmon-logs.csv',winevent=False):
+
+ with open(file_name, newline='') as csvfile:
+
+ """if winevent==True:
+ list =csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ else:
+ list = csv.DictReader(csvfile,
+ fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords",
+ "RecordId", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId",
+ "MachineName", "UserId", "Date and Time", "ActivityId", "RelatedActivityId",
+ "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "OpcodeDisplayName",
+ "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ """
+
+ if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ list = csv.DictReader(csvfile, fieldnames=(
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
+
+ else:
+ list = csv.DictReader(csvfile, fieldnames=(
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+ for row in list:
+ if row['Details']==None:
+ continue
+
+ CommandLine=Sysmon_CommandLine_rex.findall(row['Details'])
+ ProcessGuid=Sysmon_ProcessGuid_rex.findall(row['Details'])
+ ProcessId=Sysmon_ProcessId_rex.findall(row['Details'])
+ Image=Sysmon_Image_rex.findall(row['Details'])
+ FileVersion=Sysmon_FileVersion_rex.findall(row['Details'])
+ Company=Sysmon_Company_rex.findall(row['Details'])
+ Product=Sysmon_Product_rex.findall(row['Details'])
+ Description=Sysmon_Description_rex.findall(row['Details'])
+ User=Sysmon_User_rex.findall(row['Details'])
+ LogonGuid=Sysmon_LogonGuid_rex.findall(row['Details'])
+ TerminalSessionId=Sysmon_TerminalSessionId_rex.findall(row['Details'])
+ MD5=Sysmon_Hashes_MD5_rex.findall(row['Details'])
+ SHA256=Sysmon_Hashes_SHA256_rex.findall(row['Details'])
+ ParentProcessGuid=Sysmon_ParentProcessGuid_rex.findall(row['Details'])
+ ParentProcessId=Sysmon_ParentProcessId_rex.findall(row['Details'])
+ ParentImage=Sysmon_ParentImage_rex.findall(row['Details'])
+ ParentCommandLine=Sysmon_ParentCommandLine_rex.findall(row['Details'])
+ CurrentDirectory=Sysmon_CurrentDirectory_rex.findall(row['Details'])
+ OriginalFileName=Sysmon_OriginalFileName_rex.findall(row['Details'])
+ TargetObject=Sysmon_TargetObject_rex.findall(row['Details'])
+ Protocol=Sysmon_Protocol_rex.findall(row['Details'])
+ SourceIp=Sysmon_SourceIp_rex.findall(row['Details'])
+ SourceHostname=Sysmon_SourceHostname_rex.findall(row['Details'])
+ SourcePort=Sysmon_SourcePort_rex.findall(row['Details'])
+ DestinationIp=Sysmon_DestinationIp_rex.findall(row['Details'])
+ DestinationHostname=Sysmon_DestinationHostname_rex.findall(row['Details'])
+ DestinationPort=Sysmon_DestinationPort_rex.findall(row['Details'])
+ StartFunction=Sysmon_StartFunction_rex.findall(row['Details'])
+ SourceImage=Sysmon_SourceImage_rex.findall(row['Details'])
+ TargetImage=Sysmon_TargetImage_rex.findall(row['Details'])
+
+ temp=[]
+ #Powershell with Suspicious Argument covers [ T1086 ,
+ if row['Event ID']=="1" and Image[0].strip().find("powershell.exe")>-1:
+ #print(CommandLine[0])
+ Suspicious = []
+ for i in Suspicious_powershell_Arguments:
+ if CommandLine[0].strip().find(i)>-1:
+ Suspicious.append(i)
+
+ for i in Suspicious_powershell_Arguments:
+ if ParentCommandLine[0].strip().find(i)>-1:
+ Suspicious.append(i)
+ if len(Suspicious) > 0:
+ """print("##### " + row[
+ 'Date and Time'] + " #### EventID=1 ### [ T1086 ] Powershell with Suspicious Argument #### ", end='')
+ print(
+ "Found User (" + User[0].strip() + ") run Suspicious PowerShell commands that include (" + ",".join(
+ Suspicious) + ") in event with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )")"""
+
+ Event_desc="Found User (" + User[0].strip() + ") run Suspicious PowerShell commands that include (" + ",".join(
+ Suspicious) + ") in event with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[ T1086 ] Powershell with Suspicious Argument')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+ #[ T1543 ] Sc.exe manipulating windows services
+ if row['Event ID']=="1" and Image[0].strip().find("\\sc.exe")>-1 and ( CommandLine[0].find("create")>-1 or CommandLine[0].find("start")>-1 or CommandLine[0].find("config")>-1 or OriginalFileName[0].find("create")>-1 or OriginalFileName[0].find("start")>-1 or OriginalFileName[0].find("config")>-1):
+
+ """print("##### " + row[
+ 'Date and Time'] + " #### EventID=1 ### [ T1543 ] Sc.exe manipulating windows services #### ", end='')
+ print(
+ "Found User (" + User[0].strip() + ") Trying to manipulate windows services usign Sc.exe with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )")"""
+
+ Event_desc="Found User (" + User[0].strip() + ") Trying to manipulate windows services usign Sc.exe with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[ T1543 ] Sc.exe manipulating windows services')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("High")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # [ T1059 ] wscript or cscript runing script
+ if row['Event ID']=="1" and ( Image[0].strip().find("\\wscript.exe")>-1 or Image[0].strip().find("\\cscript.exe")>-1 ):
+
+ """print("##### " + row['Date and Time'] + " #### EventID=1 ### [ T1059 ] wscript or cscript runing script #### ", end='')
+ print(
+ "Found User (" + User[0].strip() + ") Trying to run wscript or cscript with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )")"""
+
+ Event_desc="Found User (" + User[0].strip() + ") Trying to run wscript or cscript with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[ T1059 ] wscript or cscript runing script')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("High")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+ # [T1170] Detecting Mshta
+ if row['Event ID']=="1" and ( Image[0].strip().find("\\mshta.exe")>-1 ):
+
+ """print("##### " + row['Date and Time'] + " #### EventID=1 ### [ T1218.005 ] Detecting Mshta #### ", end='')
+ print(
+ "Found User (" + User[0].strip() + ") Trying to run mshta with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )")"""
+
+ Event_desc="Found User (" + User[0].strip() + ") Trying to run mshta with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[ T1218.005 ] Mshta found running in the system')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("High")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Detect Psexec with accepteula flag
+ if row['Event ID'] == "13" and (
+ TargetObject[0].strip().find("psexec") > -1 ) :
+ """print("##### " + row[
+ 'Date and Time'] + " #### EventID=13 ### Psexec Detected in the system #### ", end='')
+ print(
+ "Found User (" + User[0].strip() + ") Trying to run psexec with process Image :" + Image[0].strip() )"""
+
+ Event_desc="Found User (" + User[0].strip() + ") Trying to run psexec with process Image :" + Image[0].strip()
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('Psexec Detected in the system')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+ # [T1053] Scheduled Task - Process
+ if row['Event ID']=="1" and ( Image[0].strip().find("\\taskeng.exe")>-1 or Image[0].strip().find("\\svchost.exe")>-1 ) and ParentImage[0].strip().find("services.exe")==-1 and ParentImage[0].strip().find("?")==-1 :
+
+ """
+ print("##### " + row['Date and Time'] + " #### EventID=1 ### [T1053] Scheduled Task - Process #### ", end='')
+ print(
+ "Found User (" + User[0].strip() + ") Trying to run taskeng.exe or svchost.exe with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )")
+ """
+ Event_desc="Found User (" + User[0].strip() + ") Trying to run taskeng.exe or svchost.exe with Command Line (" + CommandLine[
+ 0].strip() + ") and Parent Image :"+ ParentImage[0].strip()+" , Parent CommandLine (" + ParentCommandLine[0].strip() + ") " +"in directory : ( "+CurrentDirectory[0].strip() + " )"
+
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[T1053] Scheduled Task - Process')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Medium")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+
+ #Prohibited Process connecting to internet
+ if row['Event ID']=="3" and ( Image[0].strip().find("powershell.exe")>-1 or Image[0].strip().find("mshta.exe")>-1 or Image[0].strip().find("cscript.exe")>-1 or Image[0].strip().find("regsvr32.exe")>-1 or Image[0].strip().find("certutil.exe")>-1 ):
+ #temp.append()
+ #print("##### " + row[
+ # 'Date and Time'] + " #### EventID=3 ### Prohibited Process connecting to internet #### ", end='')
+ #print(
+ # "Found User (" + User[0].strip() + ") run process "+Image[0].strip()+" and initiated network connection from hostname ( "+ SourceHostname[0].strip()+" and IP ( "+SourceIp[0].strip() +" ) to hostname ( "+ DestinationHostname[0].strip()+" ) , IP ( " +DestinationIp[0].strip()+" ) and port ( "+DestinationPort[0].strip()+" )")
+
+ Event_desc="User (" + User[0].strip() + ") run process "+Image[0].strip()+" and initiated network connection from hostname ( "+ SourceHostname[0].strip()+" and IP ( "+SourceIp[0].strip() +" ) to hostname ( "+ DestinationHostname[0].strip()+" ) , IP ( " +DestinationIp[0].strip()+" ) and port ( "+DestinationPort[0].strip()+" )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('Prohibited Process connecting to internet')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Detecting WMI attacks
+ if row['Event ID']=="1" and ( ParentCommandLine[0].strip().find("WmiPrvSE.exe")>-1 or Image[0].strip().find("WmiPrvSE.exe")>-1 ):
+
+ Event_desc="User (" + User[0].strip() + ") run command through WMI with process ("+Image[0].strip()+ ") and commandline ( "+CommandLine[
+ 0].strip() +" )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('Command run remotely Using WMI')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ #Detecting IIS/Exchange Exploitation
+ if row['Event ID']=="1" and ( ParentCommandLine[0].strip().find("w3wp.exe")>-1 or Image[0].strip().find("w3wp.exe")>-1 ):
+
+ Event_desc="IIS run command with user (" + User[0].strip() + ") and process name ("+Image[0].strip()+ ") and commandline ( "+CommandLine[
+ 0].strip() +" )"
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('Detect IIS/Exchange Exploitation')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # [T1055] Process Injection
+ if row['Event ID']=="8" and ( StartFunction[0].strip().lower().find("loadlibrary")>-1 ):
+
+ Event_desc="Process ( %s) attempted process injection on process ( %s)"%(SourceImage[0],TargetImage[0])
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[T1055] Process Injection')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # [T1082] System Information Discovery
+ if row['Event ID']=="1" and ( CommandLine[0].strip().find("sysinfo.exe")>-1 or Image[0].strip().find("sysinfo.exe")>-1 or CommandLine[0].strip().find("whoami.exe")>-1 or Image[0].strip().find("whoami.exe")>-1 ):
+
+ Event_desc="System Information Discovery Process ( %s) ith commandline ( %s) "%(Image[0].strip(),CommandLine[0].strip())
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[T1082] System Information Discovery')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("Critical")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+
+ # [T1117] Bypassing Application Whitelisting with Regsvr32
+ if row['Event ID']=="1" and ( Image[0].strip().find("regsvr32.exe")>-1 or Image[0].strip().find("rundll32.exe")>-1 or Image[0].strip().find("certutil.exe")>-1 ):
+
+ Event_desc="[T1117] Bypassing Application Whitelisting with Regsvr32 , Process ( %s) with commandline ( %s)"%(Image[0].strip(),CommandLine[0].strip())
+ Sysmon_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
+ Sysmon_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Sysmon_events[0]['Detection Rule'].append('[T1117] Bypassing Application Whitelisting with Regsvr32')
+ Sysmon_events[0]['Detection Domain'].append("Threat")
+ Sysmon_events[0]['Severity'].append("High")
+ Sysmon_events[0]['Event Description'].append(Event_desc)
+ Sysmon_events[0]['Event ID'].append(row['Event ID'])
+ Sysmon_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))