Skip to content

Instantly share code, notes, and snippets.

Last active Feb 4, 2020
What would you like to do?
SANS Holiday Hack 2019 Objective 3 - Password Spray
# SANS Holiday Hack 2019 Objective 3 - Password Spray
# Dependency: python-evtx
import Evtx.Evtx as evtx
import Evtx.Views as e_views
import re
target_fields = ['EventID','TimeCreated','Computer','LogonType','TargetUserName','IpAddress']
output = []
with evtx.Evtx('Security.evtx') as log:
for record in log.records():
for row in output:
if'.*>(4624|4625|4648)</.*', row):
lines = row.split('\n')
for line in lines:
if any(fields in line for fields in target_fields):
Copy link

cetaSYN commented Jan 7, 2020

Simply filters the log to relevant info, not the solution.
Produces a LOT of results.

Here's what we're looking for:

<EventID Qualifiers="">4648</EventID>
<TimeCreated SystemTime="2019-11-19 12:21:45.754591"></TimeCreated>
<Data Name="TargetUserName">supatree</Data>
<Data Name="IpAddress"></Data>

<EventID Qualifiers="">4624</EventID>
<TimeCreated SystemTime="2019-11-19 12:21:45.755442"></TimeCreated>
<Data Name="TargetUserName">supatree</Data>
<Data Name="LogonType">3</Data>
<Data Name="IpAddress"></Data>


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment