Monday, August 11, 2014

Python Parser for CaptureBAT logfile v0.2

This is an updated CaptureBAT parser.  If a blank line or an unreadable line is in the logfile it will give you a warning and continue.

Take the logfile output from CaptureBAT and throw it against this script to organize it.

"CaptureBat.exe -n -c -l logFile_output.txt"


# Version 0.2: Added if a line in the log file can not be read then it lists a warning but continues

import sys

def parseFile(file, filter, specific):

        for line in file:
                        if items[1] == filter and items[2] == specific:
                                # Find the duplicates and remove them
                                if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
                                        print items[0] + " " + items[3] + " " + items[4].rstrip()
                        # Continue on error
                        print "Warning: Log File has a line that can not be read."

if len(sys.argv) >= 2:
        parseValues = [ ['"file"', '"Write"', 'Files Written'], ['"file"', '"Delete"', 'Files Deleted'],
                        ['"process"', '"Created"', 'Processes Created'], ['"process"', '"terminated"', 'Processes Terminated'],
                        ['"registry"', '"DeleteValueKey"', 'Registry Deleted Value'], ['"registry"', '"SetValueKey"', 'SetValueKey'] ]
        for item in parseValues:
                print "\n" + item[2]
                print "-----------------------------------------------------------------------------------------------"
                file = open(captureFileLog, "r")
                parseFile(file, item[0], item[1])
        print "Usage: ./script outputCaptureBat.log"

No comments:

Post a Comment

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...