Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import Evtx.Evtx as evtx
import xml.etree.ElementTree as ET
namespace = '{http://schemas.microsoft.com/win/2004/08/events/event}'
suspicious_ip = '172.31.254.101'
with evtx.Evtx('ho-ho-no.evtx') as log:
for record in log.records():
username = ''
ip = ''
event = ET.fromstring(record.xml())
event_type = event.find('{}System'.format(namespace))
if event_type.find('{}EventID'.format(namespace)).text != '4624':
continue
event_data = event.find('{}EventData'.format(namespace))
for child in event_data:
if child.get('Name') == 'TargetUserName':
username = child.text
if child.get('Name') == 'IpAddress':
ip = child.text
if ip != suspicious_ip:
continue
print('Username {} was broken into by {}'.format(username, ip))
break
@xillwillx

This comment has been minimized.

Copy link

xillwillx commented Jan 17, 2019

nice i just did it with grep/sed/uniq:
python evtx_dump.py ho-ho-no.evtx|grep -A20 4624|grep TargetUserName|sed -e 's/<[^>]*>//g'|grep "." |uniq -d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.