Projects STRLCPY LogonTracer Commits e73d002e
🤬
  • ■ ■ ■ ■ ■ ■
    logontracer.py
    skipped 692 lines
    693 693   yield xml, e
    694 694   
    695 695   
     696 +def convert_logtime(logtime, tzone):
     697 + tzless = re.sub('[^0-9-:\s]', '', logtime.split(".")[0]).strip()
     698 + try:
     699 + return datetime.datetime.strptime(tzless, "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone)
     700 + except:
     701 + return datetime.datetime.strptime(tzless, "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone)
     702 + 
     703 + 
    696 704  # Parse the EVTX file
    697 705  def parse_evtx(evtx_list):
    698 706   cache_dir = os.path.join(FPATH, 'cache')
    skipped 131 lines
    830 838   
    831 839   if eventid in EVENT_ID:
    832 840   logtime = node.xpath("/Event/System/TimeCreated")[0].get("SystemTime")
    833  - try:
    834  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone)
    835  - except:
    836  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone)
     841 + etime = convert_logtime(logtime, tzone)
    837 842   stime = datetime.datetime(*etime.timetuple()[:4])
    838 843   if args.fromdate or args.todate:
    839 844   if args.fromdate and fdatetime > etime:
    skipped 212 lines
    1052 1057   ###
    1053 1058   if eventid == 1102:
    1054 1059   logtime = node.xpath("/Event/System/TimeCreated")[0].get("SystemTime")
    1055  - try:
    1056  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone)
    1057  - except:
    1058  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone)
     1060 + etime = convert_logtime(logtime, tzone)
    1059 1061   deletelog.append(etime.strftime("%Y-%m-%d %H:%M:%S"))
    1060 1062   
    1061 1063   namespace = "http://manifests.microsoft.com/win/2004/08/windows/eventlog"
    skipped 339 lines
    1401 1403   
    1402 1404   if eventid in EVENT_ID:
    1403 1405   logtime = hit["@timestamp"].replace("T", " ").split(".")[0]
    1404  - try:
    1405  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone)
    1406  - except:
    1407  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone)
     1406 + etime = convert_logtime(logtime, tzone)
    1408 1407   
    1409 1408   stime = datetime.datetime(*etime.timetuple()[:4])
    1410 1409   
    skipped 192 lines
    1603 1602   ###
    1604 1603   if eventid == 1102:
    1605 1604   logtime = hit["@timestamp"]
    1606  - try:
    1607  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone)
    1608  - except:
    1609  - etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone)
     1605 + etime = convert_logtime(logtime, tzone)
    1610 1606   deletelog.append(etime.strftime("%Y-%m-%d %H:%M:%S"))
    1611 1607   
    1612 1608   if hasattr(event.user_data, "SubjectUserName"):
    skipped 250 lines
Please wait...
Page is in error, reload to recover