yarox24 / evtxhussar Goto Github PK

Hello,

I just made a KAPE Module for EvtxHussar.

https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/Apps/GitHub/EvtxHussar.mkape

Ideally, the binary would be evtxhussar.exe so the KAPE Module doesn't have to be updated every time new features/bug fixes are released.

https://github.com/EricZimmerman/KapeFiles/blob/a6a8d079c87c2c298488dbb1c06e5d620b5b6f71/Modules/Apps/GitHub/EvtxHussar.mkape#L10

Also, not a huge Sabaton fan (mostly due to lack of experience with them) but I'm a fellow metalhead so I appreciate the Sabaton reference \m/

Andrew

Version: 1.6b - EvtxHussar1.6b_windows_amd64.zip
Operating System: Windows 11 Pro 22H2

Ran with elevated privileges through PowerShell 7

Issue: The "Description" column placeholders are not being replaced with relevant data in Excel output files.

PowerShell Output:

[SNIP]
2:10PM INF Generating list of .evtx files in provided paths...
2:10PM INF Inspecting 169 found .evtx files
2:10PM INF Finished inspecting
2:10PM INF Send to processing: 9 files
2:10PM INF Summary nr_of_empty_evtx=51 nr_of_invalid_evtx=0
2:10PM INF Start processing
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManagerOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced SecurityFirewall.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-WinRMOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows DefenderOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Application.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\System.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-PowerShellOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Windows PowerShell.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Security.evtx
2:10PM INF Results saved to excel format - L2: AV_WindowsDefender | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: WinRMUniversal | Hostname: REDACTED | Nr of source files: 1
2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\Application.evtx
2:10PM INF Results saved to excel format - L2: AV_SymantecNetwork | Hostname: REDACTED | Nr of source files: 1
2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\System.evtx
2:10PM INF 64 Scriptblocks saved | PowerShellScriptBlock | REDACTED
2:10PM INF Results saved to excel format - L2: AuditLogCleared | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: AuditPolicyChanged | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: AccountsUserRelatedOperations | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: ProcessCreation | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: General_BootupRestartShutdown | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: RDPUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: ServicesUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: ScheduledTasks_CreationModification | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: LogonsUniversal | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: FirewallUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: PowerShellUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF End processing

Excel Output:

Hello! Looks like you have a promising tool here. Looking forward to watching it grow!

I noticed the event time that was parsed from a set of particular .evtx files were showing timestamps in the future. See below:

Another example I found was a 7045 event parsed with EvtxECmd where the timestamp in that output was 2022-03-10 08:48:46.496185 but the timestamp parsed by EvtxHussar was 2022.06.27 21:42:54.3145345 for the very same 7045 event.