SecureState Blog

Read SecureState's award winning blog.

I helped a client recently to identify if PWDump was successfully run on a system. There’s a million ways to do it, however, the easiest way is to see if the PWDump (randomized name) was successfully started and stopped. When PWDump executes, it injects a service, starts it, does its dirty work, and then stops it. This is all tracked in the event log. The following python code can be found on with a compiled binary as well as the source. This is something I whipped up in about 20 minutes so don’t be too rough on the code :PSimply export the event log as a CSV, the parser reads in the event log, does some regex and flags if/when PWDump was run.

Source code below:

# import required python modules
import re,sys
print “””
[-] PWDump Event Log Finder [-]
[-] Written by David Kennedy @ SecureState [-]
# define logfile name

This tool will search for instances of pwdump within the SYSTEM event log.

Simply enter the filename of the system event log, example: system.csv

*NOTE* Ensure that the event log was exported as a CSV.


Enter the filename for the SYSTEM log: “””)
# used for unique report name
servername=raw_input(“Enter the servername: “)
# open CSV log file
fileopen=file(eventlog, “r”).readlines()
# throw error if filename not there
except IOError:
print ”
[-] Error [-] Filename was incorrect. Try again….”
# define report file
filewrite=file(“%sfindingsreport.txt” % (servername),”w”)
# set counter to 0
for line in fileopen:
# regex string for pwdump would look something like 23F423432-43AV-2323-FBEA-JSD23930292“The {……..-….-….-….-…………} service entered”, line)
if match:
# flag counter if hit on regex
# write finding to file
# if counter hit and is above 0, define var, print it, and write it to file
if int(counter) > 0:

[-] W A R N I N G [-]


CHECK “%sfindingsreport.txt” FOR MORE INFORMATION.

[-] W A R N I N G [-]
“”” % (servername)
print var1
# if no instances of pwdump write to report file that it was’t found
if counter == 0:
print ”
[-] The system appears to not have executed PWDump [-]

filewrite.write(“PWDump was not detected on the system.”)
# close write file
# pause before application exit
pause=raw_input(“Press to exit the application.”)
# except something unexpected and raise error and print it
except Exception, e:
print “Something went wrong, printing error: “+str(e)