Skip to content

yarox24/EvtxHussar

BranchesTags

Repository files navigation

Icon EvtxHussar

Initial triage of Windows Event logs. This is beta quality software.

Input data

  • .evtx - Windows event log files coming from various hosts or single host

Output data

  • Chart generation (Event frequency distribution of all *.evtx files)
  • Subset of events based on event ID's defined in maps (e.g. System 104 - The log file was cleared.)
  • Events useful for forensics
  • One of the following output formats: CSV, JSON, JSONL, Excel
  • Default output format Excel
  • Files with the same computer name are merged

Example output

Chart (HTML)

Live chart demo

Subset of columns only (Click for fullscreen preview)

image

Output directory structure

image

Interesting features

  • Logon related events dumping
  • Reconstruction of PowerShell Scriptblocks
  • Powershell -enc is automatically decoded
  • Scheduled Tasks XML parsing
  • Audit changes
  • Boot up/Restart/Shutdown events = SMB related events
  • Merge events from different sources (e.g. Microsoft-Windows-PowerShellOperational_General and Windows PowerShell) to single output file
  • Deduplication of events (so you can provide logs from backup, VSS, archive)
  • Supported events can be easily added by adding .yaml files to maps/ directory
  • Parameters resolution (e.g. %%1936 changed to TokenElevationTypeDefault (1))
  • Fields resolution (e.g. servicestarttype = 2 is replaced with "Auto start")
  • Fields with different names are normalized to single field (whenever possible) e.g. Filename -> TargetFileName

Which events are supported?

Please look into maps/ (which contains Layer 1 maps)

Quick usage

Parse events (C:\evtx_compromised_machine\*.evtx) from single host to default Excel format (also generate chart)

EvtxHussar.exe -o C:\evtxhussar_results C:\evtx_compromised_machine

Parse events (C:\evtx_many_machines\*\*.evtx) from many machines recursively saving them with JSONL format

EvtxHussar.exe -f jsonl -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse only 2 files (Security.evtx and System.evtx) and save them with CSV format

EvtxHussar.exe -f csv -o C:\evtxhussar_results C:\evtx_compromised_machine\Security.evtx C:\evtx_compromised_machine\System.evtx

Parse events with 100 workers (1 worker = 1 Evtx file handled) Default: 30

EvtxHussar.exe -w 100 -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse with custom maps relevant to incident

EvtxHussar.exe -m C:\incident_specific_maps -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse only with selected Layer2 maps e.g. PowerShellUniversal,PowerShellScriptBlock

EvtxHussar.exe --includeonly PowerShellUniversal,PowerShellScriptBlock -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse with all Layer2 maps but exclude e.g. FirewallUniversal

EvtxHussar.exe --excludeonly FirewallUniversal -r -o C:\evtxhussar_results C:\evtx_many_machines

Generate chart only

EvtxHussar.exe --includeonly ChartOnly -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse events only (disable chart generation)

EvtxHussar.exe -c none -r -o C:\evtxhussar_results C:\evtx_many_machines

Usage (as Velociraptor plugin)

https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.evtxhussar/

Blog article

📝 https://atos.net/en/lp/securitydive/how-to-accelerate-analysis-of-windows-event-logs

Help

Usage: EvtxHussar [--recursive] [--output_dir OUTPUT_DIR] [--format FORMAT] [--workers WORKERS] [--maps MAPS] [--templates TEMPLATES] [--includeonly INCLUDEONLY] [--excludeonly EXCLUDEONLY] [--chart CHART] [--scriptblockxor] [--debug] [INPUT_EVTX_PATHS [INPUT_EVTX_PATHS ...]]

Positional arguments:
  INPUT_EVTX_PATHS       Path(s) to .evtx files or directories containing these files (can be mixed)

Options:
  --recursive, -r        Recursive traversal for any input directories. [default: false]
  --output_dir OUTPUT_DIR, -o OUTPUT_DIR
                         Reports will be saved in this directory (if doesn't exists it will be created)
  --format FORMAT, -f FORMAT
                         Output data in one of the formats: Csv,JSON,JSONL,Excel [default: Excel]
  --workers WORKERS, -w WORKERS
                         Max concurrent workers (.evtx opened) [default: 30]
  --maps MAPS, -m MAPS   Custom directory with maps/ (Default: program directory)
  --templates TEMPLATES, -t TEMPLATES
                         Directory with Apache Echarts template (Default: program directory)
  --includeonly INCLUDEONLY, -i INCLUDEONLY
                         Include only Layer2 maps present on the list comma separated (Name taken from YAML) [default: {[]}]
  --excludeonly EXCLUDEONLY, -e EXCLUDEONLY
                         Start with all Layer2 maps and exclude only maps present on the comma separated list (Name taken from YAML) [default: {[]}]
  --chart CHART, -c CHART
                         Generate frequency chart of all .evtx files (Not only the ones supported by maps). Valid values: html,none [default: html]
  --scriptblockxor, -x   Apply XOR on reconstructed PS ScriptBlocks with key 'Y' (0x59) to prevent deletion by AV [default: false]
  --debug, -d            Be more verbose [default: false]
  --help, -h             display this help and exit
  --version              display version and exit

Then the winged hussars arrived, coming down they turned the tide

Winged Hussars

About

Initial triage of Windows Event logs

Resources

Readme

License

MIT license
Activity

Stars

91 stars

Watchers

5 watching

Forks

7 forks
Report repository

Releases 9

EvtxHussar v1.8 Latest
Jun 16, 2024
+ 8 releases

Packages

No packages published

Languages