Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eventlog_creds Module #452

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

eventlog_creds Module #452

wants to merge 7 commits into from
+420 −0

Conversation

lodos2005
Copy link
Contributor

@lodos2005 lodos2005 commented Oct 13, 2024
edited
Loading

Screenshot 2024-10-14 at 01 03 53 Screenshot 2024-10-14 at 01 03 20

I have added a new module that extracts user credentials from Windows event logs. The main focus is on monitoring logs, such as Sysmon or Windows Security logs Event ID 4688. If computers are monitored using Windows Event Forwarding (WEF) or SIEM solutions, executed commands and their arguments can be stored in the event log. I designed this module to find credentials in those logs and extract them.

@lodos2005
Create eventlog_creds.py
2ebc410 
add new module

Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
@lodos2005
Update eventlog_creds.py
57fdac1 
Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
@lodos2005
Update eventlog_creds.py
d2ffe24 
fix for lint

Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
@NeffIsBack
Copy link
Contributor

Thanks for the PR :)

@Dfte
Copy link
Contributor

Dfte commented Oct 14, 2024

Hey dude!

Really nice PR! Is there a way you can retrieve the event log files without running additional execute() operation ?

@lodos2005
Copy link
Contributor Author

lodos2005 commented Oct 14, 2024
edited
Loading

Hey dude!

Really nice PR! Is there a way you can retrieve the event log files without running additional execute() operation ?

Hm, maybe we use even/even6, i will look that.

@lodos2005
Create even6_parser.py
efc1432 
Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
@lodos2005
Update eventlog_creds.py
c48ff38 
add rpc method, 

Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
@lodos2005
Copy link
Contributor Author

well, i added rpc method also. rpc call is a bit slower on large logs but I think it is more stealth.
Screenshot 2024-10-15 at 01 18 52
Screenshot 2024-10-15 at 01 18 08
I don't know which one should be the default.

@lodos2005
Update eventlog_creds.py
88e02f4 
fix for linter, spaces

Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
@Dfte
Copy link
Contributor

Dfte commented Oct 15, 2024

Amazing!!! To be honest I'd rather have RPC being the default one as it will improve stealthness and allow attacker to dump credentials without rising alerts because of the execute :)

@lodos2005
Get Two event with Single RPC call
e883012 
Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
new module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lodos2005 @NeffIsBack @Dfte