From b8c274483f48f19b255b9bd959eb2c73ff42e7f4 Mon Sep 17 00:00:00 2001 From: ajread4 Date: Sun, 8 Sep 2024 15:57:21 -0400 Subject: [PATCH 1/2] fixed issue found with System evtx logs and string Data section --- scripts/evtx_dump_json.py | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/scripts/evtx_dump_json.py b/scripts/evtx_dump_json.py index 3280f04..09d2eaf 100644 --- a/scripts/evtx_dump_json.py +++ b/scripts/evtx_dump_json.py @@ -48,22 +48,42 @@ def main(evtx_file,output): json_subline.update({event_system_subkey[1:]: event_system_subvalue}) else: + # Add information to the JSON object for this specific log json_subline.update({event_system_key: event_system_value}) # Loop through each key, value pair of the EventData section of the evtx logs if "EventData" in data_dict['Event'].keys() and data_dict['Event']['EventData'] != None: for event_data_key, event_data_value in data_dict['Event']['EventData'].items(): - for values in event_data_value: - # Loop through each subvalue within the EvenData section to extract necessary information - for event_data_subkey,event_data_subvalue in values.items(): + # Check to see if the EventData Data contains a list + if isinstance(event_data_value,list) and event_data_key!="@Name": + for values in event_data_value: + + # Loop through each subvalue within the EvenData section to extract necessary information + for event_data_subkey,event_data_subvalue in values.items(): + if event_data_subkey == "@Name": + data_name = event_data_subvalue + else: + data_value = event_data_subvalue + + # Add information to the JSON object for this specific log + json_subline.update({data_name: data_value}) + + # Check to see if EventData contains a dictionary + if isinstance(event_data_value,dict) and event_data_key!="@Name": + for event_data_subkey,event_data_subvalue in event_data_value.items(): if event_data_subkey == "@Name": data_name = event_data_subvalue - else: - data_value = event_data_subvalue - + else: + data_value=event_data_subvalue + # Add information to the JSON object for this specific log json_subline.update({data_name: data_value}) + + # Check to see if EventData contains a string + if isinstance(event_data_value,str) and event_data_key!="@Name": + beautify_event_data_value=event_data_value.replace("","").replace("\n"," ").replace("","") + json_subline.update({event_data_key: beautify_event_data_value}) # Loop through each key, value pair in UserData section, if present if "UserData" in data_dict["Event"].keys(): From 42a8aa476c2a44d29ea32b3d6e9443f01ebc577c Mon Sep 17 00:00:00 2001 From: ajread4 Date: Sun, 8 Sep 2024 15:59:17 -0400 Subject: [PATCH 2/2] fixed spacing --- scripts/evtx_dump_json.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/evtx_dump_json.py b/scripts/evtx_dump_json.py index 09d2eaf..d8e3e50 100644 --- a/scripts/evtx_dump_json.py +++ b/scripts/evtx_dump_json.py @@ -75,7 +75,7 @@ def main(evtx_file,output): if event_data_subkey == "@Name": data_name = event_data_subvalue else: - data_value=event_data_subvalue + data_value = event_data_subvalue # Add information to the JSON object for this specific log json_subline.update({data_name: data_value})