yarox24 / evtxhussar Goto Github PK

Version: 1.6b - EvtxHussar1.6b_windows_amd64.zip
Operating System: Windows 11 Pro 22H2

Ran with elevated privileges through PowerShell 7

Issue: The "Description" column placeholders are not being replaced with relevant data in Excel output files.

PowerShell Output:

[SNIP]
2:10PM INF Generating list of .evtx files in provided paths...
2:10PM INF Inspecting 169 found .evtx files
2:10PM INF Finished inspecting
2:10PM INF Send to processing: 9 files
2:10PM INF Summary nr_of_empty_evtx=51 nr_of_invalid_evtx=0
2:10PM INF Start processing
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManagerOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced SecurityFirewall.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-WinRMOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows DefenderOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Application.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\System.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-PowerShellOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Windows PowerShell.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Security.evtx
2:10PM INF Results saved to excel format - L2: AV_WindowsDefender | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: WinRMUniversal | Hostname: REDACTED | Nr of source files: 1
2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\Application.evtx
2:10PM INF Results saved to excel format - L2: AV_SymantecNetwork | Hostname: REDACTED | Nr of source files: 1
2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\System.evtx
2:10PM INF 64 Scriptblocks saved | PowerShellScriptBlock | REDACTED
2:10PM INF Results saved to excel format - L2: AuditLogCleared | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: AuditPolicyChanged | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: AccountsUserRelatedOperations | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: ProcessCreation | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: General_BootupRestartShutdown | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: RDPUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: ServicesUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: ScheduledTasks_CreationModification | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: LogonsUniversal | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: FirewallUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: PowerShellUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF End processing

Excel Output:

Hello! Looks like you have a promising tool here. Looking forward to watching it grow!

I noticed the event time that was parsed from a set of particular .evtx files were showing timestamps in the future. See below:

Another example I found was a 7045 event parsed with EvtxECmd where the timestamp in that output was 2022-03-10 08:48:46.496185 but the timestamp parsed by EvtxHussar was 2022.06.27 21:42:54.3145345 for the very same 7045 event.

Hello,

I just made a KAPE Module for EvtxHussar.

https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/Apps/GitHub/EvtxHussar.mkape

Ideally, the binary would be evtxhussar.exe so the KAPE Module doesn't have to be updated every time new features/bug fixes are released.

https://github.com/EricZimmerman/KapeFiles/blob/a6a8d079c87c2c298488dbb1c06e5d620b5b6f71/Modules/Apps/GitHub/EvtxHussar.mkape#L10

Also, not a huge Sabaton fan (mostly due to lack of experience with them) but I'm a fellow metalhead so I appreciate the Sabaton reference \m/

Andrew

Hi Team,

I found the following exception when parsing few EVTX files:

    panic: userdata_flatten_first_value - wrong number of keys
    goroutine 515 [running]:
    github.com/yarox24/EvtxHussar/eventmap.userdata_flatten_first_value(0xc004915650?, 0x9?)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/eventmap/attrib_extraction.go:60 +0x9a
    github.com/yarox24/EvtxHussar/eventmap.ExtractAttribs(0x514780?, {0xc0003a8e40, 0x1, 0x6?}, 0x0)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/eventmap/event_map.go:178 +0x61d
    github.com/yarox24/EvtxHussar/engine.(*Engine).ParseL2FieldsOrderedDict(0xc0002f2000, {0xc000335b90, 0xf}, 0xf?)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/engine.go:381 +0x153
    github.com/yarox24/EvtxHussar/engine.RunL2WorkerFlat(0xc0000a7d20)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/layer2.go:146 +0x3e7
    github.com/yarox24/EvtxHussar/engine.RunL2Worker(0xc0000a7d20, 0x2000000020?)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/layer2.go:338 +0x154
    created by github.com/yarox24/EvtxHussar/engine.(*Layer2GlobalMemory).StartL2Workers
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/layer2.go:363 +0x36

I'm running latest version of EVTXHussar.