Skip to content

Instantly share code, notes, and snippets.

@jatrost

jatrost/sysmon.py

Created November 12, 2017 10:37
Show Gist options
  • Save jatrost/5890b339e353053f19e94dc7c6bf9a37 to your computer and use it in GitHub Desktop.
Save jatrost/5890b339e353053f19e94dc7c6bf9a37 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Jason Trost created this gist Nov 12, 2017.
    74 changes: 74 additions & 0 deletions sysmon.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,74 @@
    import logging
    import os
    import sys

    from lib.common.abstracts import Auxiliary
    from lib.api.process import Process
    from lib.common.results import upload_to_host

    log = logging.getLogger(__name__)

    SYSMON_LOG = os.path.join("c:\\", "test", "sysmon.json")
    NXLOG_DIR = os.path.join("c:\\", "Program Files (x86)", "nxlog")
    NXLOG_CONF = os.path.join(NXLOG_DIR, "conf", "nxlog.conf")
    NXLOG_EXE = os.path.join(NXLOG_DIR, "nxlog.exe")

    NXLOG_CONF_DATA = '''
    define ROOT {NXLOG_DIR}
    Moduledir %ROOT%\\modules
    CacheDir %ROOT%\\data
    Pidfile %ROOT%\\data\\nxlog.pid
    SpoolDir %ROOT%\\data
    LogFile %ROOT%\\data\\nxlog.log
    LogLevel INFO
    <Extension _json>
    Module xm_json
    </Extension>
    <Input in>
    Module im_msvistalog
    ReadFromLast TRUE
    SavePos FALSE
    Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList>
    </Input>
    <Output out>
    Module om_file
    File '{SYSMON_LOG}'
    Exec to_json();
    </Output>
    <Route 66>
    Path in => out
    </Route>
    '''.format(NXLOG_DIR=NXLOG_DIR, SYSMON_LOG=SYSMON_LOG)

    class Sysmon(Auxiliary):

    def start(self):
    log.info("Starting Sysmon auxilary module")

    self.options['free'] = True
    self.options['curdir'] = NXLOG_DIR
    log.info("self.options = %s", self.options)

    log.info("Writing nxlog config")
    with open(NXLOG_CONF, 'w') as outf:
    outf.write(NXLOG_CONF_DATA)

    if os.path.exists(SYSMON_LOG):
    log.info("Removing old sysmon log: %s", SYSMON_LOG)
    os.unlink(SYSMON_LOG)

    log.info("Starting NXLog process: %s", NXLOG_EXE)
    return Process().execute(path=NXLOG_EXE)

    def stop(self):
    log.info("Collecting Sysmon logs...")
    upload_to_host(
    SYSMON_LOG,
    os.path.join("logs", "sysmon.json")
    )
    return True