Detecting PWDump in log files

Helped a client recently to identify if PWDump was successfully run on a system. There's a million ways to do it, however, the easiest way is to see if the PWDump (randomized name) was successfully started and stopped. When PWDump executes, it injects a service, starts it, does its dirty work, and then stops it. This is all tracked in the event log. The following python code can be found on https://www.securestate.com with a compiled binary as well as the source. This is something I whipped up in about 20 minutes so don't be to rough on the code :P Simply export the event log as a CSV, the parser reads in the event log, does some regex and flags if/when pwdump was run.

Source code below:

# import required python modules
import re,sys
print """
[-] PWDump Event Log Finder [-]
[-] Written by David Kennedy @ SecureState [-]
"""
# define logfile name
eventlog=raw_input("""
[--------------------------------------------------------------------------]

This tool will search for instances of pwdump within the SYSTEM event log.

Simply enter the filename of the system event log, example: system.csv

*NOTE* Ensure that the event log was exported as a CSV.

[--------------------------------------------------------------------------]

Enter the filename for the SYSTEM log: """)
# used for unique report name
servername=raw_input("Enter the servername: ")
try:
# open CSV log file
fileopen=file(eventlog, "r").readlines()
# throw error if filename not there
except IOError:
print "\n[-] Error [-] Filename was incorrect. Try again...."
sys.exit()
# define report file
filewrite=file("%sfindingsreport.txt" % (servername),"w")
# set counter to 0
counter=0
try:
for line in fileopen:
# regex string for pwdump would look something like 23F423432-43AV-2323-FBEA-JSD23930292
match=re.search("The {........-....-....-....-............} service entered", line)
if match:
# flag counter if hit on regex
counter=counter+1
line=line.rstrip()
# write finding to file
filewrite.write(line+"\n")
# if counter hit and is above 0, define var, print it, and write it to file
if int(counter) > 0:
var1="""

[-] W A R N I N G [-]




PWDUMP WAS EXECUTED ON THIS SERVER!!!!!!

CHECK "%sfindingsreport.txt" FOR MORE INFORMATION.




[-] W A R N I N G [-]
""" % (servername)
print var1
filewrite.write("\n"+var1)
# if no instances of pwdump write to report file that it wasn't found
if counter == 0:
print "\n[-] The system appears to not have executed PWDump [-]\n"
filewrite.write("PWDump was not detected on the system.")
# close write file
filewrite.close()
# pause before application exit
pause=raw_input("Press to exit the application.")
# except something unexpected and raise error and print it
except Exception, e:
print "Something went wrong, printing error: "+str(e)