search

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Other
2.7k stars 441 forks source link

EVTX import error: 'MultinomialHMM' object has no attribute 'n_trials' #127

Closed PhilippRieth closed 1 year ago

PhilippRieth commented 1 year ago

G'day all,

I get the following error for some evtx file I'm importing. I can't figure out what's different for the .evtx files. 

 python3 /home/phil/git/LogonTracer/logontracer.py -u neo4j -p password -e Security.evtx -z +11
[+] Script start. 2022/11/06 15:29:10
[+] Neo4j Kernel version: 4.2.13
[+] Time zone is 11.
[+] Last record number is 29085.
[+] Start parsing the EVTX file.
[+] Parse the EVTX file Security.evtx.
/home/phil/git/LogonTracer/logontracer.py:1030: FutureWarning: The frame.append method is deprecated and will be removed from pandas in a future version. Use pandas.concat instead.
  event_set = event_set.append(event_series, ignore_index=True)
/home/phil/git/LogonTracer/logontracer.py:1031: FutureWarning: The frame.append method is deprecated and will be removed from pandas in a future version. Use pandas.concat instead.
  ml_frame = ml_frame.append(ml_series, ignore_index=True)
/home/phil/git/LogonTracer/logontracer.py:1034: FutureWarning: The frame.append method is deprecated and will be removed from pandas in a future version. Use pandas.concat instead.
  count_set = count_set.append(count_series, ignore_index=True)
[+] Now loading 29000 records.
[+] Load finished.
[+] Total Event log is 29085.
[+] Filtered Event log is 4880.
[+] Create cache files.
[+] Calculate ChangeFinder.
[+] Calculate Hidden Markov Model.
Traceback (most recent call last):
  File "/home/phil/git/LogonTracer/logontracer.py", line 1869, in <module>
    main()
  File "/home/phil/git/LogonTracer/logontracer.py", line 1854, in main
    parse_evtx(args.evtx)
  File "/home/phil/git/LogonTracer/logontracer.py", line 1156, in parse_evtx
    detect_hmm = decodehmm(ml_frame, username_set, datetime.datetime(*starttime.timetuple()[:3]))
  File "/home/phil/git/LogonTracer/logontracer.py", line 599, in decodehmm
    data_decode = model.predict(np.array([np.array(udata)], dtype="int").T)
  File "/home/phil/.local/lib/python3.9/site-packages/hmmlearn/base.py", line 396, in predict
    _, state_sequence = self.decode(X, lengths)
  File "/home/phil/.local/lib/python3.9/site-packages/hmmlearn/base.py", line 373, in decode
    sub_log_prob, sub_state_sequence = decoder(sub_X)
  File "/home/phil/.local/lib/python3.9/site-packages/hmmlearn/base.py", line 318, in _decode_viterbi
    log_frameprob = self._compute_log_likelihood(X)
  File "/home/phil/.local/lib/python3.9/site-packages/hmmlearn/hmm.py", line 471, in _compute_log_likelihood
    X, n=self.n_trials, p=self.emissionprob_[component, :])
AttributeError: 'MultinomialHMM' object has no attribute 'n_trials'

Any ideas?

Cheers, Philipp

shu-tom commented 1 year ago

Thank you for using LogonTracer. I've fixed it based on your issue.