Monday, August 11, 2014

Python Parser for CaptureBAT logfile v0.2

This is an updated CaptureBAT parser.  If a blank line or an unreadable line is in the logfile it will give you a warning and continue.

Take the logfile output from CaptureBAT and throw it against this script to organize it.

"CaptureBat.exe -n -c -l logFile_output.txt"

#!/usr/bin/python

# Version 0.2: Added if a line in the log file can not be read then it lists a warning but continues

import sys

def parseFile(file, filter, specific):
        duplicate3rdItem=""
        duplicate4thItem=""

        for line in file:
                try:
                        items=line.split(',')
                        if items[1] == filter and items[2] == specific:
                                # Find the duplicates and remove them
                                if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
                                        print items[0] + " " + items[3] + " " + items[4].rstrip()
                                        duplicate3rdItem=items[3]
                                        duplicate4thItem=items[4]
                except:
                        # Continue on error
                        print "Warning: Log File has a line that can not be read."


if len(sys.argv) >= 2:
        captureFileLog='outputCaptureBat.log'
        parseValues = [ ['"file"', '"Write"', 'Files Written'], ['"file"', '"Delete"', 'Files Deleted'],
                        ['"process"', '"Created"', 'Processes Created'], ['"process"', '"terminated"', 'Processes Terminated'],
                        ['"registry"', '"DeleteValueKey"', 'Registry Deleted Value'], ['"registry"', '"SetValueKey"', 'SetValueKey'] ]
        for item in parseValues:
                print "\n" + item[2]
                print "-----------------------------------------------------------------------------------------------"
                file = open(captureFileLog, "r")
                parseFile(file, item[0], item[1])
else:
        print "Usage: ./script outputCaptureBat.log"

No comments:

Post a Comment

Docker - Quick Notes and How To

For an ethical hacking class that I will be teaching coming up in the near future I wanted to identify a way where I could provide students ...