Skip to content

Instantly share code, notes, and snippets.

@cetaSYN
Created Jan 7, 2020
Embed
What would you like to do?
SANS Holiday Hack 2019 Objective 4 - Determine Technique
#!/usr/bin/env python3
# SANS Holiday Hack 2019 Objective 4 - Determine Technique
import json
from datetime import datetime, timedelta
def pprint(s):
return json.dumps(json.loads(str(s).replace('"', '\\"').replace("'", '"')), indent=2)
with open('sysmon-data.json') as f:
data = json.loads(f.read())
data.sort(key=lambda x: x['timestamp'], reverse=True)
for i in data:
i['timestamp'] = (datetime(1601, 1, 1) + timedelta(microseconds=i['timestamp']//10)).isoformat()
for i in range(len(data)):
index = data[i]
at = index.get('parent_process_name')
if at is not None:
if 'lsass' in at.lower():
print("{}\n{}\n{}".format(
pprint(data[i-2]),
pprint(data[i-1]),
pprint(index),
))
@cetaSYN
Copy link
Author

cetaSYN commented Jan 7, 2020

Output we're looking for:

{
  "command_line": "ntdsutil.exe  \"ac i ntds\" ifm \"create full c:\\hive\" q q",
  "event_type": "process",
  "logon_id": 999,
  "parent_process_name": "cmd.exe",
  "parent_process_path": "C:\\Windows\\System32\\cmd.exe",
  "pid": 3556,
  "ppid": 3440,
  "process_name": "ntdsutil.exe",
  "process_path": "C:\\Windows\\System32\\ntdsutil.exe",
  "subtype": "create",
  "timestamp": "2019-11-19T12:24:07.030000",
  "unique_pid": "{7431d376-dee7-5dd3-0000-0010f0c44f00}",
  "unique_ppid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
  "user": "NT AUTHORITY\\SYSTEM",
  "user_domain": "NT AUTHORITY",
  "user_name": "SYSTEM"
}
{
  "command_line": "C:\\Windows\\system32\\cmd.exe",
  "event_type": "process",
  "logon_id": 999,
  "parent_process_name": "lsass.exe",
  "parent_process_path": "C:\\Windows\\System32\\lsass.exe",
  "pid": 3440,
  "ppid": 632,
  "process_name": "cmd.exe",
  "process_path": "C:\\Windows\\System32\\cmd.exe",
  "subtype": "create",
  "timestamp": "2019-11-19T12:23:55.622000",
  "unique_pid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
  "unique_ppid": "{7431d376-cd7f-5dd3-0000-001013920000}",
  "user": "NT AUTHORITY\\SYSTEM",
  "user_domain": "NT AUTHORITY",
  "user_name": "SYSTEM"
}

Lucky that they're so close and we didn't have to actually match things up much

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment