search

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Other
2.7k stars 441 forks source link

Bug that can not load additional timezone log #95

Closed shu-tom closed 3 years ago

shu-tom commented 3 years ago

Unable to read logs with a trailing timezone. #93

ctrlbbj commented 3 years ago

i have the same question with last docker version.

error log : [+] Script start. 2021/01/06 13:26:11 [+] Neo4j Kernel version: 4.1.1 [+] Last record number is 2016473. [+] Start parsing the EVTX file. [+] Parse the EVTX file /usr/local/src/LogonTracer/upload/0.evtx. [+] Now loading 100 records. [+] Now loading 200 records. [+] Now loading 300 records. [+] Now loading 400 records. [+] Now loading 500 records. [+] Now loading 600 records. [+] Now loading 700 records. [+] Now loading 800 records. [+] Now loading 900 records. [+] Now loading 1000 records. [+] Now loading 1100 records. [+] Now loading 1200 records. [+] Now loading 1300 records. [+] Now loading 1400 records. [+] Now loading 1500 records. [+] Now loading 1600 records./usr/local/lib/python3.7/site-packages/statsmodels/tools/_testing.py:19: FutureWarning: pandas.util.testing is deprecated. Use the functions in the public API at pandas.testing instead. import pandas.util.testing as tm Traceback (most recent call last): File "/usr/local/src/LogonTracer/logontracer.py", line 834, in parse_evtx etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) File "/usr/local/lib/python3.7/_strptime.py", line 577, in _strptime_datetime tt, fraction, gmtoff_fraction = _strptime(data_string, format) File "/usr/local/lib/python3.7/_strptime.py", line 362, in _strptime data_string[found.end():]) ValueError: unconverted data remains: UTC During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/src/LogonTracer/logontracer.py", line 1863, in main() File "/usr/local/src/LogonTracer/logontracer.py", line 1848, in main parse_evtx(args.evtx) File "/usr/local/src/LogonTracer/logontracer.py", line 836, in parse_evtx etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) File "/usr/local/lib/python3.7/_strptime.py", line 577, in _strptime_datetime tt, fraction, gmtoff_fraction = _strptime(data_string, format) File "/usr/local/lib/python3.7/_strptime.py", line 359, in _strptime (data_string, format)) ValueError: time data '2020-02-22 18:45:02 UTC' does not match format '%Y-%m-%dT%H:%M:%S'

shu-tom commented 3 years ago

Could you show me an event log sample?

ctrlbbj commented 3 years ago

The original log is too big and there is no possibility to upload it. Is there a tool to locate the extracted logs, I locate the problematic logs and extract them and send them to you.

yamamotoalex commented 3 years ago

I have the same issue. below is the event log

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4672</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12548</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2021-02-03T01:12:09.0000004Z" /> 
  <EventRecordID>130340566</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="656" ThreadID="1648" /> 
  <Channel>Security</Channel> 
  <Computer>MSAD.n****.com</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">MSAD$</Data> 
  <Data Name="SubjectDomainName">N****</Data> 
  <Data Name="SubjectLogonId">0x24df69d</Data> 
  <Data Name="PrivilegeList">SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege</Data> 
  </EventData>
  </Event>

and error is 

/usr/local/lib64/python3.6/site-packages/statsmodels/tools/_testing.py:19: FutureWarning: pandas.util.testing is deprecated. Use the functions in the public API at pandas.testing instead. import pandas.util.testing as tm [+] Script start. 2021/02/05 23:11:25 [+] Neo4j Kernel version: 4.1.1 [+] Load cashe files. [+] Time zone is 9. [+] Last record number is 1. [+] Start parsing the EVTX file. [+] Parse the EVTX file /opt/LogonTracer/upload/0.evtx. Traceback (most recent call last): File "/opt/LogonTracer/logontracer.py", line 834, in parse_evtx etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) File "/usr/lib64/python3.6/_strptime.py", line 565, in _strptime_datetime tt, fraction = _strptime(data_string, format) File "/usr/lib64/python3.6/_strptime.py", line 365, in _strptime data_string[found.end():]) ValueError: unconverted data remains: UTC During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/LogonTracer/logontracer.py", line 1861, in main() File "/opt/LogonTracer/logontracer.py", line 1846, in main parse_evtx(args.evtx) File "/opt/LogonTracer/logontracer.py", line 836, in parse_evtx etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) File "/usr/lib64/python3.6/_strptime.py", line 565, in _strptime_datetime tt, fraction = _strptime(data_string, format) File "/usr/lib64/python3.6/_strptime.py", line 362, in _strptime (data_string, format)) ValueError: time data '2021-02-03 01:12:09 UTC' does not match format '%Y-%m-%dT%H:%M:%S'
shu-tom commented 3 years ago

I fixed this bug. thanks @falsneg.