Pastebin
Retrouvez, créez et partagez vos snippets en temps réel.
Rechercher un Pastebin
Aucun paste trouvé.
Créer un paste
Pastebin
Blog
script pyth
import win32evtlog import json from datetime import datetime date=datetime.now def extract_security_logs(ev_id): """Extrait TOUS les logs Security → JSON structuré""" server = 'localhost' logtype = 'Security' hand = win32evtlog.OpenEventLog(server, logtype) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ events = [] while True: batch = win32evtlog.ReadEventLog(hand, flags, 0) if not batch: break for event in batch: # Correction : utiliser event.EventID (pas un dict) if event.EventID == ev_id: events.append({ 'event_id': event.EventID, 'time': event.TimeGenerated.strftime("%Y-%m-%d %H:%M:%S"), 'source': event.SourceName, 'strings': event.StringInserts, 'ip': event.StringInserts[-2], 'computer': event.ComputerName }) win32evtlog.CloseEventLog(hand) # Conversion JSON lisible #json_data = json.dumps(events, indent=2, ensure_ascii=False) # Optionnel : sauvegarde dans un fichier # with open(f"security_log_{ev_id}.json", "w", encoding="utf-8") as f: # f.write(json_data) return events # Attack events unit bt_events = extract_security_logs(4625) escalation_events = extract_security_logs(4672) def detect_bruteforce(events, window_seconds=10): """1er → 5ème 4625 : si <10s d'intervalle → BRUTEFORCE""" evlenght = len(events) if evlenght < 5: return False # interval de temps entre 1er et 5e log time_first = datetime.strptime(events[0]['time'], "%Y-%m-%d %H:%M:%S") time_fourth = datetime.strptime(events[4]['time'], "%Y-%m-%d %H:%M:%S") interval = (time_first - time_fourth).total_seconds() if interval < window_seconds: bt_content = f"""<div class="bruteforce-alert"> <table style="border-collapse: collapse; width: 100%; background: #ffebee; border: 2px solid #f44336;"> <thead> <tr style="background: #f44336; color: white;"> <th style="padding: 12px; text-align: left;">🚨 BRUTEFORCE</th> <th style="padding: 12px;">EVENT ID</th> <th style="padding: 12px;">Interval</th> <th style="padding: 12px;">Occurences</th> <th style="padding: 12px;">Date</th> <th style="padding: 12px;">Computer</th> <th style="padding: 12px;">IP Source</th> </tr> </thead> <tbody> <tr style="background: #ffcdd2;"> <td style="padding: 12px; font-weight: bold;">Authentication failure </td> <td style="padding: 12px;">{events[0]['event_id']}</td> <td style="padding: 12px;">{interval}</td> <td style="padding: 12px;">{evlenght}</td> <td style="padding: 12px;">{time_first} → {time_fourth}</td> <td style="padding: 12px; font-weight: bold; color: #d32f2f;">{events[0]['computer']}</td> <td style="padding: 12px; font-weight: bold; color: #d32f2f;">{events[0]['ip']}</td> </tr> </tbody> </table></div>""" return bt_content return False def privilege_escalation(events): evlenght = len(events) if not evlenght: return False esc_content = f"""<div class="bruteforce-alert"> <table style="border-collapse: collapse; width: 100%; background: #ffebee; border: 2px solid #f44336;"> <thead> <tr style="background: #f44336; color: white;"> <th style="padding: 12px; text-align: left;">🚨 PRIVILEGE ESCALATION</th> <th style="padding: 12px;">EVENT ID</th> <th style="padding: 12px;">Occurences</th> <th style="padding: 12px;">Date</th> <th style="padding: 12px;">Computer</th> </tr> </thead> <tbody> <tr style="background: #ffcdd2;"> <td style="padding: 12px; font-weight: bold;">privilege escalation </td> <td style="padding: 12px;">{events[0]['event_id']}</td> <td style="padding: 12px;">{evlenght}</td> <td style="padding: 12px;">{datetime.now()}</td> <td style="padding: 12px; font-weight: bold; color: #d32f2f;">{events[0]['computer']}</td> </tr> </tbody> </table></div>""" return esc_content bt_content=detect_bruteforce(bt_events) esc_content=privilege_escalation(escalation_events) def html_report(): report_name = f"report/report-{datetime.now().strftime('%Y%m%d-%H%M%S')}.html" html = f"""<!DOCTYPE html> <html> <head> </head> <body> {bt_content} <br> {esc_content} </body> </html>""" with open(report_name, "w", encoding="utf-8") as f: f.write(html) html_report()
Créé il y a 1 mois.
