python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost
[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
* Serving Flask app 'logontracer'
* Debug mode: off
Acess: http://localhost:8081
Now load security.evtx logs from Windows.
Import larger 'security.evtx' files and parse them before
In some cases, we need to parse evtx files because a lot of junk is imported.
I created a rust script capable of filter larger files:
Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>
Options:
-i, --input-path <INPUT_PATH> Path to the .evtx file or directory
-o, --output-file <OUTPUT_FILE> Path to the output XML file
-u, --users-file <USERS_FILE> Path to the file with the list of owned users (optional)
-s, --start-date <START_DATE> Start date for filtering logs (format: YYYY-MM-DD) (optional)
-e, --end-date <END_DATE> End date for filtering logs (format: YYYY-MM-DD) (optional)
-t, --threads <THREADS> Optional number of threads (default is system maximum) [default: 12]
-h, --help Print help
-V, --version Print version
We can use an auxiliary file with owned users (users line by line).
Dump Security EVTX files from Collectors ZIP files
import zipfile
import os
import shutil
# Lista das pastas
folders = [
"cxxxx000031/",
"Cxxxx00010CV/"
]
# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)
# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
# Localizar qualquer arquivo ZIP que comece com "Collection-"
for filename in os.listdir(folder):
if filename.startswith("Collection-") and filename.endswith(".zip"):
zip_path = os.path.join(folder, filename)
prefix = os.path.basename(os.path.normpath(folder)) # Prefixo com o nome da pasta
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
# Procurar o ficheiro Security.evtx dentro do ZIP
for file in zip_ref.namelist():
if "Security.evtx" in file:
# Extrair e renomear o ficheiro com o prefixo da pasta
output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
shutil.copyfileobj(source, target)
print(f"Extraído: {output_file_path}")
break # Parar após encontrar o Security.evtx
break # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"
Import the XML into LogonTracer
Before import the XML file, just one line needs to be updated on the logontracer.py:
Replace this: #if xml.startswith("<System>"
to:
if (xml.strip()).startswith('<System>'):):
