visualize_logs
visualize_logs
A Python library and command line tools to provide log visualization.
- Gallery
- Log Type Support
- Requirements
- Installation
- Usage
- Sample Data
- Documentation
- Resources
- Similar Projects
- License
- Contributing
Gallery
When you view these plots you will need JavaScript turned on. The plots are interactive and you can
select borders around the pieces you would like to zoom into. You can double click to zoom out. You can also
hover over nodes and more information will be displayed. The plot controls will be in the upper right hand corner of the plot.
The plot will look different depending on your browser (Chrome, Firefox, etc…) and the size
of your browser. I typically use Chrome on a Mac with a very large size to see everything I want to see.
The smaller your browser is, the more crunched it will be. If you change your browser size, be sure to click
‘Reload’.
Cuckoo JSON Reports
Kovter Sample 1
SHA256: 15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589
This sample was identified in the following blog post.
-
Example 1
- Kovter showing processes only
-
plotcuckoojson -t "Kovter Example 1" -f kovter1_example1.html -fa -ra -na 1_report.json
-
Example 2
- Kovter showing processes and network
-
plotcuckoojson -t "Kovter Example 2" -f kovter1_example2.html -fa -ra 1_report.json
-
Example 3
- Kovter showing processes and files
-
plotcuckoojson -t "Kovter Example 3" -f kovter1_example3.html -na -ra 1_report.json
-
Example 4
- Kovter showing processes and registry
-
plotcuckoojson -t "Kovter Example 4" -f kovter1_example4.html -fa -na 1_report.json
Kovter Sample 2
SHA256: bffe7ccbcf69e7c787ff10d1dc7dbf6044bffcb13b95d851f4a735917b3a6fdf
This sample was identified in the following blog post.
-
Example 1
- Kovter showing processes only
-
plotcuckoojson -t "Kovter Example 1" -f kovter2_example1.html -fa -ra -na 2_report.json
-
Example 2
- Kovter showing processes and network
-
plotcuckoojson -t "Kovter Example 2" -f kovter2_example2.html -fa -ra 2_report.json
-
Example 3
- Kovter showing processes and files
-
plotcuckoojson -t "Kovter Example 3" -f kovter2_example3.html -na -ra 2_report.json
-
Example 4
- Kovter showing processes and registry
-
plotcuckoojson -t "Kovter Example 4" -f kovter2_example4.html -fa -na 2_report.json
Ransomware
SHA256: 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
-
Example 1
- Ransomware showing processes only
-
plotcuckoojson -t "Ransomware Example 1" -f ransomware_example1.html -fa -na -ra 3_report.json
-
Example 2
- Ransomware showing processes and network
-
plotcuckoojson -t "Ransomware Example 2" -f ransomware_example2.html -fa -ra 3_report.json
-
Example 3
- Ransomware showing processes and files
-
plotcuckoojson -t "Ransomware Example 3" -f ransomware_example3.html -na -ra 3_report.json
-
Example 4
- Ransomware showing processes and registry
-
plotcuckoojson -t "Ransomware Example 4" -f ransomware_example4.html -na -fa 3_report.json
wwwlgoogle dot com Adware
SHA256: e64910e3549a6c6e01be814b40e0f1fca02db45d5d19e2882a90914cef1c799e
This sample came from wwwlgoogle dot com.
-
Example 1
- wwwlgoogle showing processes only
-
plotcuckoojson -t "wwwlgoogle.com Example 1" -f wwwlgoogle_example1.html -fa -na -ra 4_report.json
-
Example 2
- wwwlgoogle showing processes and network
-
plotcuckoojson -t "wwwlgoogle.com Example 2" -f wwwlgoogle_example2.html -fa -ra 4_report.json
-
Example 3
- wwwlgoogle showing processes and files
-
plotcuckoojson -t "wwwlgoogle.com Example 3" -f wwwlgoogle_example3.html -na -ra 4_report.json
-
Example 4
- wwwlgoogle showing processes and registry
-
plotcuckoojson -t "wwwlgoogle.com Example 4" -f wwwlgoogle_example4.html -fa -na 4_report.json
ProcMon CSV Logs
The “focused” views were generated by selecting just the PIDs I wanted
to show with ProcMon before saving the data to a CSV.
Kovter Sample 1
SHA256: 15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589
This sample was identified in the following blog post.
-
Example 1
- Kovter showing processes only (Focused)
-
plotprocmoncsv -sp -t "Kovter Example 1" -f kovter1_example1.html kovter1_focused.csv
- Notice how this doesn’t show much. This is one example where filtering with ProcMon hurt us. We know more happens with Kovter. Let’s look at all the activity…
-
Example 2
- Kovter showing processes only (All)
-
plotprocmoncsv -sp -t "Kovter Example 2" -f kovter1_example2.html kovter1.csv
- Notice how this doesn’t show much. We know more happens with Kovter.
-
Example 3
- Kovter showing processes and file writes/deletes/renames (All)
-
plotprocmoncsv -sp -pfw -pfd -pfn -t "Kovter Example 3" -f kovter1_example3.html kovter1.csv
-
Example 4
- Kovter showing processes and Registry writes/deletes (All)
-
plotprocmoncsv -sp -prw -prd -t "Kovter Example 4" -f kovter1_example4.html kovter1.csv
-
Example 5
- Kovter showing processes and network (All)
-
plotprocmoncsv -sp -pu -pt -t "Kovter Example 5" -f kovter1_example5.html kovter1.csv
Kovter Sample 2
SHA256: bffe7ccbcf69e7c787ff10d1dc7dbf6044bffcb13b95d851f4a735917b3a6fdf
This sample was identified in the following blog post.
-
Example 1
- Kovter showing processes only (Focused)
-
plotprocmoncsv -sp -t "Kovter Example 1" -f kovter2_example1.html kovter2_focused.csv
- Notice how this doesn’t show much. This is one example where filtering with ProcMon hurt us. We know more happens with Kovter. Let’s look at all the activity…
-
Example 2
- Kovter showing processes only (All)
-
plotprocmoncsv -sp -t "Kovter Example 2" -f kovter2_example2.html kovter2.csv
- Notice how this doesn’t show much. We know more happens with Kovter.
-
Example 3
- Kovter showing processes and file writes/deletes/renames (All)
-
plotprocmoncsv -sp -pfw -pfd -pfr -t "Kovter Example 3" -f kovter2_example3.html kovter2.csv
-
Example 4
- Kovter showing processes and Registry writes/deletes (All)
-
plotprocmoncsv -sp -prw -prd -t "Kovter Example 4" -f kovter2_example4.html kovter2.csv
-
Example 5
- Kovter showing processes and network (All)
-
plotprocmoncsv -sp -pu -pt -t "Kovter Example 5" -f kovter2_example5.html kovter2.csv
Ransomware
SHA256: 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
-
Example 1
- Ransomware showing processes only (Focused)
-
plotprocmoncsv -sp -t "Ransomware Example 1" -f ransomware_example1.html Ransomware_focused.csv
-
Example 2
- Ransomware showing processes only (All)
-
plotprocmoncsv -sp -t "Ransomware Example 2" -f ransomware_example2.html Ransomware_focused.csv
-
Example 3
- Ransomware showing processes and network only (All)
-
plotprocmoncsv -sp -pt -pu -t "Ransomware Example 3" -f ransomware_example3.html Ransomware_focused.csv
-
Example 4
- Ransomware showing file writes/renames/deletes (Focused)
-
plotprocmoncsv -t "Ransomware Example 4" -pfw -pfd -pfn -sp -f ransomware_example4.html Ransomware_focused.csv
- Notice it is very clear that this is ransomware based upon all the file writes!
-
Example 5
- Ransomware showing file writes/renames/deletes (All)
-
plotprocmoncsv -t "Ransomware Example 5" -pfw -pfd -pfn -sp -f ransomware_example5.html Ransomware.csv
- Notice it is very clear that this is ransomware based upon all the file writes!
-
Example 6
- Ransomware showing Registry writes and deletes (Focused)
-
plotprocmoncsv -t "Ransomware Example 6" -prw -prd -sp -f ../gallery/procmoncsv/ransomware_example6.html /Source/Procmon CSV/Ransomware_focused.csv
wwwlgoogle dot com Adware
SHA256: e64910e3549a6c6e01be814b40e0f1fca02db45d5d19e2882a90914cef1c799e
This sample came from wwwlgoogle dot com.
-
Example 1
- wwwlgoogle showing processes only (Focused)
-
plotprocmoncsv -sp -t "wwwlgoogle.com Example 1" -f wwwlgoogle_example1.html wwwlgoogle_focused.csv
-
Example 2
- wwwlgoogle showing processes only (All)
-
plotprocmoncsv -sp -t "wwwlgoogle.com Example 2" -f wwwlgoogle_example2.html wwwlgoogle.csv
-
Example 3
- wwwlgoogle showing processes and network…