Code Monkey home page Code Monkey logo

evtxhussar's Issues

Event Time Parsing Error

Hello! Looks like you have a promising tool here. Looking forward to watching it grow!

I noticed the event time that was parsed from a set of particular .evtx files were showing timestamps in the future. See below:

image

Another example I found was a 7045 event parsed with EvtxECmd where the timestamp in that output was 2022-03-10 08:48:46.496185 but the timestamp parsed by EvtxHussar was 2022.06.27 21:42:54.3145345 for the very same 7045 event.

"Description" column placeholders are not being replaced with relevant data in Excel output files.

Version: 1.6b - EvtxHussar1.6b_windows_amd64.zip
Operating System: Windows 11 Pro 22H2

Ran with elevated privileges through PowerShell 7

Issue: The "Description" column placeholders are not being replaced with relevant data in Excel output files.

PowerShell Output:

[SNIP]
2:10PM INF Generating list of .evtx files in provided paths...
2:10PM INF Inspecting 169 found .evtx files
2:10PM INF Finished inspecting
2:10PM INF Send to processing: 9 files
2:10PM INF Summary nr_of_empty_evtx=51 nr_of_invalid_evtx=0
2:10PM INF Start processing
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManagerOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced SecurityFirewall.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-WinRMOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows DefenderOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Application.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\System.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-PowerShellOperational.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Windows PowerShell.evtx
2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Security.evtx
2:10PM INF Results saved to excel format - L2: AV_WindowsDefender | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: WinRMUniversal | Hostname: REDACTED | Nr of source files: 1
2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\Application.evtx
2:10PM INF Results saved to excel format - L2: AV_SymantecNetwork | Hostname: REDACTED | Nr of source files: 1
2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\System.evtx
2:10PM INF 64 Scriptblocks saved | PowerShellScriptBlock | REDACTED
2:10PM INF Results saved to excel format - L2: AuditLogCleared | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: AuditPolicyChanged | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: AccountsUserRelatedOperations | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: ProcessCreation | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: General_BootupRestartShutdown | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: RDPUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: ServicesUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: ScheduledTasks_CreationModification | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: LogonsUniversal | Hostname: REDACTED | Nr of source files: 1
2:10PM INF Results saved to excel format - L2: FirewallUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF Results saved to excel format - L2: PowerShellUniversal | Hostname: REDACTED | Nr of source files: 2
2:10PM INF End processing

Excel Output:

image

Exception when parsing EVTX files

Hi Team,

I found the following exception when parsing few EVTX files:

    panic: userdata_flatten_first_value - wrong number of keys
    goroutine 515 [running]:
    github.com/yarox24/EvtxHussar/eventmap.userdata_flatten_first_value(0xc004915650?, 0x9?)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/eventmap/attrib_extraction.go:60 +0x9a
    github.com/yarox24/EvtxHussar/eventmap.ExtractAttribs(0x514780?, {0xc0003a8e40, 0x1, 0x6?}, 0x0)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/eventmap/event_map.go:178 +0x61d
    github.com/yarox24/EvtxHussar/engine.(*Engine).ParseL2FieldsOrderedDict(0xc0002f2000, {0xc000335b90, 0xf}, 0xf?)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/engine.go:381 +0x153
    github.com/yarox24/EvtxHussar/engine.RunL2WorkerFlat(0xc0000a7d20)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/layer2.go:146 +0x3e7
    github.com/yarox24/EvtxHussar/engine.RunL2Worker(0xc0000a7d20, 0x2000000020?)
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/layer2.go:338 +0x154
    created by github.com/yarox24/EvtxHussar/engine.(*Layer2GlobalMemory).StartL2Workers
        F:/GoLangBase/GitEvtxHussar/EvtxHussar/engine/layer2.go:363 +0x36

I'm running latest version of EVTXHussar.

REQUEST: Static naming convention for the EvtxHussar executable

Hello,

I just made a KAPE Module for EvtxHussar.

https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/Apps/GitHub/EvtxHussar.mkape

Ideally, the binary would be evtxhussar.exe so the KAPE Module doesn't have to be updated every time new features/bug fixes are released.

https://github.com/EricZimmerman/KapeFiles/blob/a6a8d079c87c2c298488dbb1c06e5d620b5b6f71/Modules/Apps/GitHub/EvtxHussar.mkape#L10

Also, not a huge Sabaton fan (mostly due to lack of experience with them) but I'm a fellow metalhead so I appreciate the Sabaton reference \m/

Andrew

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.