A library for fast import of Windows Prefetch into Elasticsearch.
Project description
prefetch2es
Fast import of Windows Prefetch(.pf) into Elasticsearch.
prefetch2es uses C library libscca.
Usage
When using from the commandline interface:
$ prefetch2es /path/to/your/file.pf
When using from the python-script:
from prefetch2es.prefetch2es import prefetch2es
if __name__ == '__main__':
filepath = '/path/to/your/file.pf'
prefetch2es(filepath)
Arguments
prefetch2es supports importing from multiple files.
$ prefetch2es file1.pf file2.pf file3.pf
Also, possible to import recursively from a specific directory.
$ tree .
pffiles/
├── file1.pf
├── file2.pf
├── file3.pf
└── subdirectory/
├── file4.pf
└── subsubdirectory/
├── file5.pf
└── file6.pf
$ prefetch2es /pffiles/ # The Path is recursively expanded to file1~6.pf.
Options
--host:
ElasticSearch host address
(default: localhost)
--port:
ElasticSearch port number
(default: 9200)
--index:
Index name
(default: prefetch2es)
--scheme:
Scheme to use (http, or https)
(default: http)
--pipeline
Elasticsearch Ingest Pipeline to use
(default: )
--login:
The login to use if Elastic Security is enable
(default: )
--pwd:
The password linked to the login provided
(default: )
Examples
When using from the commandline interface:
$ prefetch2es /path/to/your/file.pf --host=localhost --port=9200 --index=foobar
When using from the python-script:
if __name__ == '__main__':
prefetch2es('/path/to/your/file.pf', host=localhost, port=9200, index='foobar')
With the Amazon Elasticsearch Serivce (ES):
$ prefetch2es /path/to/your/file.pf --host=example.us-east-1.es.amazonaws.com --port=443 --scheme=https --index=foobar
With credentials for Elastic Security:
$ prefetch2es /path/to/your/file.pf --host=localhost --port=9200 --index=foobar --login=elastic --pwd=******
Note: The current version does not verify the certificate.
Supported Prefetch versions
- Windows XP
- Windows 2003
- Windows Vista (SP0)
- Windows 7 (SP0)
- Windows 8.1
- Windows 10 1809
- Windows 10 1903
For more information, please visit libscca.
Appendix
prefetch2json
Extra feature. 🍣 🍣 🍣
Convert from Windows Prefetch to json file.
$ prefetch2json /path/to/your/file.pf /path/to/output/target.json
Convert from Windows Prefetch to Python dict object.
from prefetch2es import prefetch2json
if __name__ == '__main__':
filepath = '/path/to/your/file.pf'
result: dict = prefetch2json(filepath)
Output Format Example
Using the sample prefetch file of EricZimmerman/Prefetch as an example.
{
"name": "CALC.EXE",
"filenames": [
"\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
...
],
"exec_count": 2,
"last_exec_time": 130974496211967500,
"format_version": 23,
"prefetch_hash": 2013131135,
"metrics": [
{
"filename": "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
"file_reference": 281474976736310
},
...
],
"volumes": [
{
"path": "\\DEVICE\\HARDDISKVOLUME2",
"creation_time": 130974525181093750,
"serial_number": 2281737263
}
]
}
Installation
via PyPI
$ pip install prefetch2es
via DockerHub
$ docker pull sumeshi/prefetch2es:latest
Run with Docker
https://hub.docker.com/r/sumeshi/prefetch2es
prefetch2es
# "host.docker.internal" is only available in mac and windows environments.
# For linux, use the --add-host option.
$ docker run -t --rm -v $(pwd):/app sumeshi/prefetch2es:latest prefetch2es SAMPLE.pf --host=host.docker.internal
prefetch2json
$ docker run -t --rm -v $(pwd):/app sumeshi/prefetch2es:latest prefetch2es SAMPLE.pf out.json
Do not use the "latest" image if at all possible.
The "latest" image is not a released version, but is built from the contents of the master branch.
Contributing
The source code for prefetch2es is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/prefetch2es). Please report issues and feature requests. :sushi: :sushi: :sushi:
License
prefetch2es is released under the MIT License.
Powered by libscca.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file prefetch2es-2.1.0.tar.gz.
File metadata
- Download URL: prefetch2es-2.1.0.tar.gz
- Upload date:
- Size: 6.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.0 Darwin/19.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c7a73345b8c028aa44bb3dbb0a846e063c43c192ecbe57646fa9e518fafb50df |
|
| MD5 | 8fecf30221e084d3e36ad53994a989cf |
|
| BLAKE2b-256 | baa9b60a1fe75a7716259c44d6aa04e1f5229f24b4d77cb67a8ca67de60fba31 |
File details
Details for the file prefetch2es-2.1.0-py3-none-any.whl.
File metadata
- Download URL: prefetch2es-2.1.0-py3-none-any.whl
- Upload date:
- Size: 6.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.0 Darwin/19.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1ed3d4e2867d837fed2278d7031cde44d8ed5541716778a8eaaf392b9322ddb1 |
|
| MD5 | 5b0b6413f1302d7038b11a8023906ebb |
|
| BLAKE2b-256 | ea4b4e317394d5674a08509c877d6f5c2ec5305ad3bef0be5f7f3a6ee7fd72e7 |
