Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error analyzing Sysmon logs #22

Closed
fareedfauzi opened this issue Aug 24, 2022 · 2 comments
Closed

Error analyzing Sysmon logs #22

fareedfauzi opened this issue Aug 24, 2022 · 2 comments

Comments

@fareedfauzi
Copy link

My command

APT-Hunter.exe -p C:\WINDOWS\System32\winevt\Logs

Output

Analyzing C:\WINDOWS\System32\winevt\Logs\OSession.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\Parameters.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\Security.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\Setup.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\SMSApi.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\State.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\System.evtx
Analyzing C:\WINDOWS\System32\winevt\Logs\Windows PowerShell.evtx
Error Analyzing Sysmon logs
ERROR:root:Traceback (most recent call last):
  File "APT-Hunter.py", line 130, in evtxdetect_auto
  File "lib\EvtxDetection.py", line 3347, in detect_events_Sysmon_log
IndexError: list index out of range

Traceback (most recent call last):
  File "APT-Hunter.py", line 359, in <module>
  File "APT-Hunter.py", line 326, in main
  File "APT-Hunter.py", line 236, in report
  File "pandas\core\frame.py", line 636, in __init__
  File "pandas\core\internals\construction.py", line 502, in dict_to_mgr
  File "pandas\core\internals\construction.py", line 120, in arrays_to_mgr
  File "pandas\core\internals\construction.py", line 674, in _extract_index
ValueError: All arrays must be of the same length
[6696] Failed to execute script 'APT-Hunter' due to unhandled exception!
@googlefyi
Copy link

I recently has this same issue and found there was some instances where Sysmon didn't have all the expected fields. It was a slow process, but I just added try - except statements to the effected functions in EvtxDetection.py. As shown here:

try:
    if (EventID[0]=="3") and (Image[0].strip().find("certutil.exe")>-1 or
                        CommandLine[0].strip().find("*certutil*script\\:http\\[\\:\\]\\/\\/*")>-1 or
                        Image[0].strip().find("*\\replace.exe")>-1):
        try:
            Event_desc="Found User (" + User[0].strip() + ") running image ( " + Image[0].strip() + " ) through command line ( " + CommandLine[0].strip() + " )"
        except:
            Event_desc="[T1218] Signed Binary Proxy Execution - Network"
        Sysmon_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat())
        Sysmon_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())))
        Sysmon_events[0]['Computer Name'].append(Computer[0])
        Sysmon_events[0]['Channel'].append(Channel[0])
        Sysmon_events[0]['Detection Rule'].append('[T1218] Signed Binary Proxy Execution - Network')
        Sysmon_events[0]['Detection Domain'].append("Threat")
        Sysmon_events[0]['Severity'].append("High")
        Sysmon_events[0]['Event Description'].append(Event_desc)
        Sysmon_events[0]['Event ID'].append(EventID[0])
        Sysmon_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," "))
except IndexError:
    pass

@ahmedkhlief
Copy link
Owner

Hi , this fixed in new release V3.0 . Please check and let me know

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ahmedkhlief @fareedfauzi @googlefyi