EvtxHussar

module

v0.0.0-...-f0a5ce6 Latest Latest Go to latest Published: May 6, 2023 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/yarox24/EvtxHussar

Links

Open Source Insights

README ¶

EvtxHussar

Initial triage of Windows Event logs. This is beta quality software.

Input data

.evtx - Windows event log files coming from various hosts or single host

Output data

Subset of events based on event ID's defined in maps (e.g. System 104 - The log file was cleared.)
Events useful for forensics
One of the following output formats: CSV, JSON, JSONL, Excel
Default output format Excel
Files with the same computer name are merged

Example output

Subset of columns only (Click for fullscreen preview)

Output directory structure

Interesting features

Logon related events dumping
Reconstruction of PowerShell Scriptblocks
Powershell -enc is automatically decoded
Scheduled Tasks XML parsing
Audit changes
Boot up/Restart/Shutdown events = SMB related events
Merge events from different sources (e.g. Microsoft-Windows-PowerShellOperational_General and Windows PowerShell) to single output file
Deduplication of events (so you can provide logs from backup, VSS, archive)
Supported events can be easily added by adding .yaml files to maps/ directory
Parameters resolution (e.g. %%1936 changed to TokenElevationTypeDefault (1))
Fields resolution (e.g. servicestarttype = 2 is replaced with "Auto start")
Fields with different names are normalized to single field (whenever possible) e.g. Filename -> TargetFileName

Which events are supported?

Please look into maps/ (which contains Layer 1 maps)

Quick usage

Parse events (C:\evtx_compromised_machine\*.evtx) from single host to default Excel format

EvtxHussar.exe -o C:\evtxhussar_results C:\evtx_compromised_machine

Parse events (C:\evtx_many_machines\*\*.evtx) from many machines recursively saving them with JSONL format

EvtxHussar.exe -f jsonl -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse only 2 files (Security.evtx and System.evtx) and save them with CSV format

EvtxHussar.exe -f csv -o C:\evtxhussar_results C:\evtx_compromised_machine\Security.evtx C:\evtx_compromised_machine\System.evtx

Parse events with 100 workers (1 worker = 1 Evtx file handled) Default: 30

EvtxHussar.exe -w 100 -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse with custom maps relevant to incident

EvtxHussar.exe -m C:\incident_specific_maps -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse only with selected Layer2 maps e.g. PowerShellUniversal,PowerShellScriptBlock

EvtxHussar.exe --includeonly PowerShellUniversal,PowerShellScriptBlock -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse with all Layer2 maps but exclude e.g. FirewallUniversal

EvtxHussar.exe --excludeonly FirewallUniversal -r -o C:\evtxhussar_results C:\evtx_many_machines

Usage (as Velociraptor plugin)

https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.evtxhussar/

Blog article

📝 https://atos.net/en/lp/securitydive/how-to-accelerate-analysis-of-windows-event-logs

Help

Usage: EvtxHussar [--recursive] [--output_dir OUTPUT_DIR] [--format FORMAT] [--workers WORKERS] [--maps MAPS] [--debug] [INPUT_EVTX_PATHS [INPUT_EVTX_PATHS ...]]

Positional arguments:
  INPUT_EVTX_PATHS       Path(s) to .evtx files or directories containing these files (can be mixed)

Options:
  --recursive, -r        Recursive traversal for any input directories. [default: false]
  --output_dir OUTPUT_DIR, -o OUTPUT_DIR
                         Reports will be saved in this directory (if doesn't exists it will be created)
  --format FORMAT, -f FORMAT
                         Output data in one of the formats: Csv,JSON,JSONL,Excel [default: Excel]
  --workers WORKERS, -w WORKERS
                         Max concurrent workers (.evtx opened) [default: 30]
  --maps MAPS, -m MAPS   Custom directory with maps/ (Default: program directory)
  --includeonly INCLUDEONLY, -i INCLUDEONLY
                         Include only Layer2 maps present on the list comma separated (Name taken from YAML) [default: {[]}]
  --excludeonly EXCLUDEONLY, -e EXCLUDEONLY
                         Start with all Layer2 maps and exclude only maps present on the comma separated list (Name taken from YAML) [default: {[]}]
  --scriptblockxor, -x   Apply XOR on reconstructed PS ScriptBlocks with key 'Y' (0x59) to prevent deletion by AV [default: false]
  --debug, -d            Be more verbose [default: false]
  --help, -h             display this help and exit
  --version              display version and exit

Then the winged hussars arrived, coming down they turned the tide

Directories ¶

Path	Synopsis
cmd
EvtxHussar
common
engine
eventmap
output_manager
special_transformations
tests

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL