custom mimikatz parser

app/service/parsing_svc.py

@@ -20,6 +20,8 @@ async def parse_facts(self, operation):
                     matched_facts = self._json(parser[0], b64decode(x['output']).decode('utf-8'))
                 elif parser[0]['name'] == 'line':
                     matched_facts = self._line(parser[0], b64decode(x['output']).decode('utf-8'))
+                elif parser[0]['name'] == 'parse_mimikatz':
+                    matched_facts = self._parse_mimikatz(b64decode(x['output']).decode('utf-8'))
                 else:
                     matched_facts = self._regex(parser[0], b64decode(x['output']).decode('utf-8'))
 
@@ -67,3 +69,18 @@ def _regex(parser, blob):
     @staticmethod
     def _line(parser, blob):
         return [dict(fact=parser['property'], value=f.strip(), set_id=0) for f in blob.split('\n') if f]
+
+    @staticmethod
+    def _parse_mimikatz(blob):
+        set_id = 0
+        matched_facts = []
+        list_lines = blob.split('\n')
+        for i, line in enumerate(list_lines):
+            if 'Username' in line and '(null)' not in line:
+                username_fact = dict(fact='host.user.name', value= line.split(':')[1].strip(), set_id=set_id)
+                if 'Password' in list_lines[i + 2] and '(null)' not in list_lines[i+2]:
+                    password_fact = dict(fact='host.user.password', value=list_lines[i+2].split(':')[1].strip(), set_id=set_id)
+                    matched_facts.append(password_fact)
+                    matched_facts.append(username_fact)
+                set_id+=1
+        return matched_facts