Saturday, April 19, 2014

Python Parser for CaptureBAT Output

From the command line where CaptureBAT is running I use the following syntax:
"CaptureBAT.exe -c -n -l outputCaptureBat.log"

Then copy the log file where the python script is located.

#!/usr/bin/python

import sys

def parseFile(file, filter, specific):
duplicate3rdItem=""
duplicate4thItem=""

for line in file:
items=line.split(',')
if items[1] == filter and items[2] == specific:
# Find the duplicates and remove them
if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
print items[0] + " " + items[3] + " " + items[4].rstrip()
duplicate3rdItem=items[3]
duplicate4thItem=items[4]


if len(sys.argv) >= 2:
outputFile='outputCaptureBat.log'
parseValues = [ ['"file"', '"Write"', 'Files Written'], ['"file"', '"Delete"', 'Files Deleted'],
               ['"process"', '"Created"', 'Processes Created'], ['"process"', '"terminated"', 'Processes Terminated'],
                ['"registry"', '"DeleteValueKey"', 'Registry Deleted Value'], ['"registry"', '"SetValueKey"', 'SetValueKey'] ]
for item in parseValues:
print "\n" + item[2]
print "-----------------------------------------------------------------------------------------------"
file = open(outputFile, "r")
parseFile(file, item[0], item[1])
else:
print "Usage: ./script outputCaptureBat.log"

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...