-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapp v1.0.py
126 lines (73 loc) · 3.84 KB
/
app v1.0.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# README
# Filename: app v1.0.py
# Arbitrary Version: v1.0
# Author: Martin Mathurine, © University of Westminster, 2022/2023
# LinkedIn: https://www.linkedin.com/in/martinmathurine
# Github: https://github.com/Martin199X
# Description: This is a PySimpleGUI-based Python software tool for processing and visualising selected Windows Event
# Security.evtx log files.
# Updates: * Revision v1.0.
# * Able to parse and analyse log data successfully.
# * Issue with getting data from dictionary to plotted bar chart. Visualising the analysed log data failed.
# * Multiple Python3 syntax errors and debugging problems found -- needs fixing in next revision.
# * The app does not run.
#----------------------------------------------------------
import os
import Evtx.Evtx as evtx
import datetime
import matplotlib.pyplot as plt
import PySimpleGUI as sg
sg.theme("DarkTeal2")
layout = [[sg.Text("Input EVTX Log File to Analyse: "), sg.FileBrowse(key="-evtxlogfile-")],
[sg.Button('Visualise the Analysed Log Data'), sg.Button('Save Results')],
[sg.Text(size=(50, 1), key="-save-")]]
window = sg.Window('Network Security Log Analyser', layout, size=(600,200))
while True:
event, values = window.read()
if event == sg.WINDOW_CLOSED:
break
if event == 'Visualise the Analysed Log Data':
logs_folder = values["-evtxlogfile-"]
detectRundll32(logs_folder)
window.close()
#declares a log_folder parameter -- a folder path for parsing and analysing the Security.extx logfile line-by-line.
logs_folder = r"C:\Users\marti\Desktop\Coursework\logs"
#parseEvtx is defined to extrapolate information from a parsed log file and then save that to a dictionary.
#the parsed data is extrapolated from the System tag and within that tag the EventID and TimeCreated tags in addition to the EventData.
def parseEvtx(event):
sys_tag = event.find("System", event.nsmap)
event_id = sys_tag.find("EventID", event.nsmap)
event_ts = sys_tag.find("TimeCreated", event.nsmap)
event_data = event.find("EventData", event.nsmap)
r = {}
r["ts"] = event_ts.values()[0]
r["eid"] = event_id.text
for data in event_data.getchildren():
r[data.attrib["Name"]] = data.text
return r
#the openEvtxFile function uses the log_folder parameter to open the log file and makes log entries for the parsed log using the yield statement.
def openEvtxFile(logs_folder):
with evtx.Evtx(logs_folder) as log_file:
for log_entry in log_file.records():
yield log_entry.lxml()
#detectRundll32 parses the log entries to identify whether the Event ID 4688 contains a new process name in rundll32 as well as powershell or cmd in the parent process name within the log's parsed data.
#catch errors and continue without stopping parsing and analysing the log data regardless
def detectRundll32(logs_folder):
log_file = openEvtxFile(logs_folder)
for log_entry in log_file:
try:
log_data = parseEvtx(log_entry)
if log_data["eid"] == "4688" and log_data["CommandLine"]:
if "rundll32" in log_data["NewProcessName"] and re.search("powershell|cmd", log_data["ParentProcessName"]):
print(log_data["CommandLine"])
except:
pass
#creates and displays a plotted bar chart to visualise the analysed data on the x-axis.
def plotBarChart(events, users):
plt.subplot(211)
plt.bar(range(len(events)), list(events.values()), align="center")
plt.xticks(range(len(events)), list(events.keys()))
plt.subplot(212)
plt.bar(range(len(users)), list(users.values()), align="center")
plt.xticks(range(len(users)), list(users.keys()))
plt.show()