Skip to content

Lennaert89/evtx

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

112 Commits
EvtxECmd
EvtxECmd
 
 
evtx.Test
evtx.Test
 
 
evtx
evtx
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
evtx.sln
evtx.sln
 
 
evtx.v3.ncrunchsolution
evtx.v3.ncrunchsolution
 
 

Repository files navigation

EVTX parser

This project contains both the core parsing engine as well as a command line front end that uses it.

MAPS NEEDS. If you have any of these event IDs in your logs, send me the XML or the evtx file and i can finish. This is a work in progress so expect this list to change often

-------------------------- I DONT HAVE LOGS FOR THESE

Round one missing stuff

Security: 4657, Security ID,Account Name, Logon ID, Object Name,Object Value Name, Old Value, New Value reg key created/modified/deleted

Security: 4652/4653: An IPsec Main Mode negotiation failed. Security: For Kerberos authentication, 4771.

-------------------------- I DONT HAVE LOGS FOR THESE

NEEDS REGEX WORK

System: 6100, all of the wireless networks the device can see, typically happens when network adapter starts/restarts. Its not easy to parse in the format you're looking for, but "BSSID" is there in every language I've encountered, so you can grep for it. (link: https://www.brimorlabsblog.com/2014/04/you-dont-know-where-that-device-has-been.html) brimorlabsblog.com/2014/04/you-do…

NEEDS REGEX WORK

------------------TO DO TO DO TO DO--------------------------------

Stumbled across this: Microsoft-Windows-MBAM/Operational

Event ID 39 & 40

Tracks RemovableDriveMounted and RemovableDriveDismounted

Audit against https://github.com/keydet89/Tools/blob/master/exe/eventmap.txt

8003 & 8006; #AppLocker audited event IDs. Many orgs don't want (read: can't manage) application whitelisting blocking policies, but that doesn't mean you can't build a policy in audit-only mode and on-board the relevant logs. Provides an excellent ROI.

Sysmon event ids 1,3, and 5,

Microsoft-Windows-PowerShell%4Operational.evtx 4103, 4104 – Script Block logging Logs suspicious scripts by default in PS v5 Logs all scripts if configured 53504 Records the authenticating user

powershell 400,500,501,800, and 4104

Windows PowerShell.evtx 400/403 "ServerRemoteHost" indicates start/end of Remoting session 800 Includes partial script code Microsoft-Windows-WinRM%4Operational.evtx 91 Session creation 168 Records the authenticating user

Microsoft-Windows-PowerShell%4Operational.evtx 40961, 40962 Records the local initiation of powershell.exe and associated user account 8193 & 8194 Session created

8197 - Connect Session closed

Microsoft-Windows-WinRM%4Operational.evtx 6 – WSMan Session initialize Session created Destination Host Name or IP Current logged-on User Name 8, 15, 16, 33 – WSMan Session deinitialization Closing of WSMan session Current logged-on User Name

Microsoft-Windows-SmbClient%4Security.evtx 31001 – Failed logon todestination Destination Host Name User Name for failed logon Reason code for failed destination logon (e.g. bad password)

About

C# based evtx parser with lots of extras

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • C# 100.0%