evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Related tags

Security related resourcesincident-responsecsirtinfosecthreat-huntingnetsecevtx
Overview

Introduction

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

It can process a high number of events quickly, making it suitable for use during investigations and hunting activities across a high number of collected events.

Report header Example of a first time detection

What is evtx-hunter

evtx-hunter is a Python tool that generates a web report of interesting activity observed in EVTX files. The tool comes with a few predefined rules to help you get going. This includes rules to spot for example:

  • The first time a certain DNS domain is queried;
  • The first time a certain process is launched;
  • New service installations;
  • User account lockouts;
  • ...

New use cases can easily be added to support your use case:

  • rules/first_occurence.json: monitor the first time something happens that matches the rule, such as installing a new (malicious) service or using a compromised user account.

  • rules/interesting_events.json: monitor each time something happens that matches the rule, such as clearing the audit log or installing a new service.

Why evtx-hunter?

We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during incident response activities. We love tools like Event Log Explorer and Evtx Explorer but found them most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.

Requirements

evtx-hunter only runs on Windows due to its dependency on EVTX Parsing library, which is included in the tool.

It requires Python (tested in python 3.9 but any version >=python 3.0 will most likely work).

Installation

pip install -r requirements.txt

Usage

python evtx_hunter.py <evtx_folder>

Once the EVTX files have been processed, a link on the command line will be printed to view the generated report in your browser (typically http://127.0.0.1:8050/).

Roadmap

We plan to continuously improve this tool in a few different ways, based on our experience using it during incidents where EVTX files require investigation:

  • Add new rules to spot new interesting activity in EVTX files;
  • Improve how the information is presented in the resulting report;
  • Make the reports interactive (live filtering & searching for example).

Contributions

Everyone is invited to contribute!

If you are a user of the tool and have a suggestion for a new feature or a bug to report, please do so through the issue tracker.

Acknowledgements

Developed by Daan Raman, @NVISO_labs

External libraries

License

evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3). LICENSE

Owner
NVISO
NVISO
GitHub Repository
Mass scan for .git repository and .env file exposure

Mass .Git repository and .Env file Scan by Scarmandef Scanner to find .env file and .git repository exposure on multiple hosts Because of the response

8 Jun 23, 2022
the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

Taroballz 14 Nov 09, 2022
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

Flask-SeaSurf SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF). CSRF vulnerabilities have been found in large and popular

Max Countryman 183 Dec 28, 2022
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
Learning to compose soft prompts for compositional zero-shot learning.

Compositional Soft Prompting (CSP) Compositional soft prompting (CSP), a parameter-efficient learning technique to improve the zero-shot compositional

Bats Research 32 Jan 02, 2023
An IDA pro python script to decrypt Qbot malware string

Qbot-Strings-Decrypter An IDA pro python script to decrypt Qbot malware strings.

stuckinvim 6 Sep 01, 2022
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

Binary.club 2 Jan 24, 2022
Log4jake works by spidering a web application for GET/POST requests

Log4jake Log4jake works by spidering a web application for GET/POST requests. It will then automatically execute the GET/POST requests, filling any di

16 May 09, 2022
Python program that generates secure passwords.

Python program that generates secure passwords. The user has the option to select the length of the password, amount of passwords,

4 Dec 07, 2021
Extensive Python3 network scanner, simplified.

Snake Map Extensive Python3 network scanner, simplified. _,.--. --..,_ .'`__ o `;__, `'.'. .'.'` '---'` '

Miss Bliss 4 Apr 16, 2022
PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

PwdGen ( Password Generator ) is a Python Tkinter tool for generating secure 16 digit passwords. Installation Simply install requirements pip install

zJairO 7 Jul 14, 2022
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

东方有鱼名为咸 135 Dec 14, 2022
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell) usage: python ProxyLogon.py --host=exchang

112 Dec 01, 2022
Anti Supercookie - Confusing the ISP & Escaping the Supercookie

Confusing the ISP & Escaping the Supercookie

Baris Dincer 2 Nov 22, 2022
Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are

96 Dec 14, 2022
SPV SecurePasswordVerification

SPV SecurePasswordVerification Its is python module for doing a secure password verification without sharing the password directly. Features The passw

Merwin 1 Feb 12, 2022
This tool was created in order to automate some basic OSINT tasks for penetration testing assingments.

This tool was created in order to automate some basic OSINT tasks for penetration testing assingments. The main feature that I haven't seen much anywhere is the downloadd google dork function where t

Tobias 5 May 31, 2022
Simplify getting and using cookies from the browser to use in Python.

CookieCache Simplify getting and using cookies from the browser to use in Python. NOTE: All the logic to interface with the browsers is done by the Br

pat_h/to/file 2 May 06, 2022