From 62049d67c0c5e179708da3f32c09734c9c50f259 Mon Sep 17 00:00:00 2001 From: Burak Karaduman Date: Wed, 4 Jan 2023 22:37:56 +0300 Subject: [PATCH 1/2] Added sysmon timestamp manipulation function and some changes on manipulate_timestamp function for more coverage. --- bin/replay.py | 59 +++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/bin/replay.py b/bin/replay.py index 8064624c..21f24dd0 100644 --- a/bin/replay.py +++ b/bin/replay.py @@ -14,8 +14,12 @@ class DataManipulation: def manipulate_timestamp(self, file_path, sourcetype, source): + source = source.lower() + sourcetype = sourcetype.lower() + # check that we support the source or sourcetype sent for manipulation - SUPPORTED = ['WinEventLog:System', 'WinEventLog:Security', 'exchange', 'aws:cloudtrail'] + SUPPORTED = ['XmlWinEventLog:Microsoft-Windows-Sysmon/Operational', 'WinEventLog:System', 'WinEventLog:Security', 'exchange', 'aws:cloudtrail'] + SUPPORTED = list(map(lambda x: x.lower(), SUPPORTED)) if (sourcetype in SUPPORTED) or (source in SUPPORTED): print("updating timestamps before replaying for file: {0}".format(file_path)) else: @@ -25,8 +29,11 @@ def manipulate_timestamp(self, file_path, sourcetype, source): if sourcetype == 'aws:cloudtrail': self.manipulate_timestamp_cloudtrail(file_path) - if source == 'WinEventLog:System' or source == 'WinEventLog:Security': + if source == 'WinEventLog:System'.lower() or source == 'WinEventLog:Security'.lower(): self.manipulate_timestamp_windows_event_log_raw(file_path) + + if source == 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'.lower(): + self.manipulate_timestamp_windows_sysmon_log_raw(file_path) if source == 'exchange': self.manipulate_timestamp_exchange_logs(file_path) @@ -78,6 +85,52 @@ def manipulate_timestamp_windows_event_log_raw(self, file_path): f.close() return + def manipulate_timestamp_windows_sysmon_log_raw(self, file_path): + with open(file_path, "r", encoding="utf-8") as f: + content = f.read() + + regex4systemTime = r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}' # + regex4utcTime = r'\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}' # 2021-04-05 14:11:22.089 + + format4systemTime = "%Y-%m-%dT%H:%M:%S" + format4utcTime = "%Y-%m-%d %H:%M:%S.%f" + + systemTimes = re.findall(regex4systemTime, content) + utcTimes = re.findall(regex4utcTime, content) + + systemTimes.sort() + utcTimes.sort() + + # Difference for systemTime + now = datetime.now().strftime(format4systemTime) + now = datetime.strptime(now, format4systemTime) + last_event_time = datetime.strptime(systemTimes[-1],format4systemTime) + time_difference_4_systemTime = now - last_event_time + + # Difference for utcTime + now = datetime.now().strftime(format4utcTime) + now = datetime.strptime(now, format4utcTime) + last_event_time = datetime.strptime(utcTimes[-1],format4utcTime) + time_difference_4_utcTime = now - last_event_time + + # re.sub replacement function for systemTimes + def replacement_func_4_systemTime(m): + updated_systemTime = datetime.strptime(m.group(), format4systemTime) + time_difference_4_systemTime + updated_systemTime = updated_systemTime.strftime(format4systemTime) + return updated_systemTime + + # re.sub replacement function for utcTimes + def replacement_func_4_utcTime(m): + updated_utcTime = datetime.strptime(m.group(), format4utcTime) + time_difference_4_utcTime + updated_utcTime = updated_utcTime.strftime(format4utcTime) + return updated_utcTime + + + content = re.sub(regex4systemTime, replacement_func_4_systemTime, content) + content = re.sub(regex4utcTime, replacement_func_4_utcTime, content) + with open('regex.log', 'w+', encoding='utf8') as write_file: + write_file.write(file_path) + print("Timestamps successfully updated.") def replacement_function(self, match): try: @@ -88,8 +141,6 @@ def replacement_function(self, match): print("ERROR - in timestamp replacement occured: " + str(e)) return match.group() - - def manipulate_timestamp_cloudtrail(self, file_path): f = io.open(file_path, "r", encoding="utf-8") try: From 0a450ef6ee00351c4f8e0b47cfab715cd4e9bdd6 Mon Sep 17 00:00:00 2001 From: Burak Karaduman <36070747+krdmnbrk@users.noreply.github.com> Date: Thu, 5 Jan 2023 12:53:57 +0300 Subject: [PATCH 2/2] Update replay.py Forgot to add cloudtrail function. --- bin/replay.py | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/bin/replay.py b/bin/replay.py index 21f24dd0..582ca7b4 100644 --- a/bin/replay.py +++ b/bin/replay.py @@ -132,6 +132,47 @@ def replacement_func_4_utcTime(m): write_file.write(file_path) print("Timestamps successfully updated.") + def manipulate_timestamp_cloudtrail(self, file_path): + f = io.open(file_path, "r", encoding="utf-8") + + try: + first_line = f.readline() + d = json.loads(first_line) + latest_event = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ") + + now = datetime.now() + now = now.strftime("%Y-%m-%dT%H:%M:%S.%fZ") + now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S.%fZ") + except ValueError: + first_line = f.readline() + d = json.loads(first_line) + latest_event = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ") + + now = datetime.now() + now = now.strftime("%Y-%m-%dT%H:%M:%SZ") + now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%SZ") + + difference = now - latest_event + f.close() + + for line in fileinput.input(file_path, inplace=True): + try: + d = json.loads(line) + original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ") + new_time = (difference + original_time) + + original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") + new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") + print (line.replace(original_time, new_time),end ='') + except ValueError: + d = json.loads(line) + original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ") + new_time = (difference + original_time) + + original_time = original_time.strftime("%Y-%m-%dT%H:%M:%SZ") + new_time = new_time.strftime("%Y-%m-%dT%H:%M:%SZ") + print (line.replace(original_time, new_time),end ='') + def replacement_function(self, match): try: event_time = datetime.strptime(match.group(),"%m/%d/%Y %I:%M:%S %p")