Created a quick parser for Process Monitor csv output files. I
designed it to organize the output based on PID and Operation. Then I
chose to remove the timestamp and deduplicate the remaining information.
This was built to be a tool that can be used in conjunction with Process Monitor to help identify interesting activity.
#!/usr/bin/python
# Script is designed to parse a Process Monitor script and output organized by process and operation
# In my limited testing it took a 29M file down to 5M (At least a little easier to digest)
# It will deduplicate the rows in the output without the timestamp
# This tool is not to replace the output of Process Monitor it is only used as a tool to assist in finding valuable information
import sys
import os
import csv
csvFile='processMonitor.csv'
file = open(csvFile,'r')
reader = csv.reader(file)
# Gather the PIDs and make a uniq list of them
uniqPID = set() # This will store the unique PIDs found in the csv file
uniqOperation = set() # This will store the unique Operations found in the csv file
for row in reader:
# Time of Day, Process Name, PID, Operation, Path, Result, Detail
# 0 1 2 3 4 5 6
if (row[2] != 'PID'): # Remove the header out of the set
uniqPID.add(row[2])
uniqOperation.add(row[3])
file.close()
uniqPID = list(uniqPID) # Take the set and place it into a list
uniqOperation = list(uniqOperation)
uniqPID.sort(key=int) # Sort the list based on an integer value
uniqOperation.sort(key=str)
for pid in uniqPID:
print "\n\n"
for operation in uniqOperation:
operationAppearanceCounter = 0
uniqRow = set()
file = open(csvFile,'r')
reader = csv.reader(file)
for row in reader:
if (row[2] == pid):
if (row[3] == operation):
if (operationAppearanceCounter == 0):
print "\nPID: " + pid + " Operation: " + operation
print "----------------------------------------------"
operationAppearanceCounter = 1
newRow = row[1] + " " + row[2] + " " + row[3] + " " + row[4] + " " + row[5] + " " + row[6]
uniqRow.add(newRow)
for deduplicatedRow in uniqRow:
print deduplicatedRow
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment