Skip to content

Instantly share code, notes, and snippets.

@cetaSYN

cetaSYN/lsass.py

Created January 7, 2020 04:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cetaSYN/6dc35608567b30edd445a2becd0ed264 to your computer and use it in GitHub Desktop.
Save cetaSYN/6dc35608567b30edd445a2becd0ed264 to your computer and use it in GitHub Desktop.
Download ZIP
SANS Holiday Hack 2019 Objective 4 - Determine Technique
Raw
lsass.py
#!/usr/bin/env python3
# SANS Holiday Hack 2019 Objective 4 - Determine Technique
import json
from datetime import datetime, timedelta
def pprint(s):
return json.dumps(json.loads(str(s).replace('"', '\\"').replace("'", '"')), indent=2)
with open('sysmon-data.json') as f:
data = json.loads(f.read())
data.sort(key=lambda x: x['timestamp'], reverse=True)
for i in data:
i['timestamp'] = (datetime(1601, 1, 1) + timedelta(microseconds=i['timestamp']//10)).isoformat()
for i in range(len(data)):
index = data[i]
at = index.get('parent_process_name')
if at is not None:
if 'lsass' in at.lower():
print("{}\n{}\n{}".format(
pprint(data[i-2]),
pprint(data[i-1]),
pprint(index),
))
@cetaSYN
Copy link
Author

cetaSYN commented Jan 7, 2020

Output we're looking for:

{
  "command_line": "ntdsutil.exe  \"ac i ntds\" ifm \"create full c:\\hive\" q q",
  "event_type": "process",
  "logon_id": 999,
  "parent_process_name": "cmd.exe",
  "parent_process_path": "C:\\Windows\\System32\\cmd.exe",
  "pid": 3556,
  "ppid": 3440,
  "process_name": "ntdsutil.exe",
  "process_path": "C:\\Windows\\System32\\ntdsutil.exe",
  "subtype": "create",
  "timestamp": "2019-11-19T12:24:07.030000",
  "unique_pid": "{7431d376-dee7-5dd3-0000-0010f0c44f00}",
  "unique_ppid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
  "user": "NT AUTHORITY\\SYSTEM",
  "user_domain": "NT AUTHORITY",
  "user_name": "SYSTEM"
}
{
  "command_line": "C:\\Windows\\system32\\cmd.exe",
  "event_type": "process",
  "logon_id": 999,
  "parent_process_name": "lsass.exe",
  "parent_process_path": "C:\\Windows\\System32\\lsass.exe",
  "pid": 3440,
  "ppid": 632,
  "process_name": "cmd.exe",
  "process_path": "C:\\Windows\\System32\\cmd.exe",
  "subtype": "create",
  "timestamp": "2019-11-19T12:23:55.622000",
  "unique_pid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
  "unique_ppid": "{7431d376-cd7f-5dd3-0000-001013920000}",
  "user": "NT AUTHORITY\\SYSTEM",
  "user_domain": "NT AUTHORITY",
  "user_name": "SYSTEM"
}

Lucky that they're so close and we didn't have to actually match things up much

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment