{"id":21988097,"url":"https://github.com/nvisosecurity/evtx-hunter","last_synced_at":"2025-07-22T23:30:52.373Z","repository":{"id":45884292,"uuid":"370835593","full_name":"NVISOsecurity/evtx-hunter","owner":"NVISOsecurity","description":"evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.","archived":true,"fork":false,"pushed_at":"2021-11-30T00:00:14.000Z","size":1149,"stargazers_count":151,"open_issues_count":2,"forks_count":26,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-03-31T07:14:52.830Z","etag":null,"topics":["csirt","evtx","incident-response","infosec","netsec","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NVISOsecurity.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-25T21:45:51.000Z","updated_at":"2025-02-25T12:59:10.000Z","dependencies_parsed_at":"2022-09-10T17:01:09.332Z","dependency_job_id":null,"html_url":"https://github.com/NVISOsecurity/evtx-hunter","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/NVISOsecurity/evtx-hunter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fevtx-hunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fevtx-hunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fevtx-hunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fevtx-hunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NVISOsecurity","download_url":"https://codeload.github.com/NVISOsecurity/evtx-hunter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fevtx-hunter/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266589942,"owners_count":23952836,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csirt","evtx","incident-response","infosec","netsec","threat-hunting"],"created_at":"2024-11-29T19:15:45.476Z","updated_at":"2025-07-22T23:30:51.640Z","avatar_url":"https://github.com/NVISOsecurity.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Introduction\n**evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.**\n\nIt can process a high number of events quickly, making it suitable for use during investigations and hunting\nactivities across a high number of collected events.\n\n![Report header](/documentation/screenshots/report_header.PNG)\n![Example of a first time detection](/documentation/screenshots/first_time_example.PNG)\n\n# What is evtx-hunter\n\nevtx-hunter is a Python tool that generates a web report of interesting activity observed\nin EVTX files. The tool comes with a few predefined rules to help you get going. This includes\nrules to spot for example:\n- The first time a certain DNS domain is queried;\n- The first time a certain process is launched;\n- New service installations;\n- User account lockouts;\n- ...\n\nNew use cases can easily be added to support your use case:\n- ``rules/first_occurence.json``: monitor the first time something happens that matches the rule, such as installing\n  a new (malicious) service or using a compromised user account.\n\n  \n- ``rules/interesting_events.json``: monitor each time something happens that matches the rule, such as clearing \n  the audit log or installing a new service.\n\n\n# Why evtx-hunter?\nWe developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during\nincident response activities. \nWe love tools like [Event Log Explorer](https://eventlogxp.com/) \nand [Evtx Explorer](https://isc.sans.edu/forums/diary/Introduction+to+EvtxEcmd+Evtx+Explorer/25858/) but found them\nmost suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number\nof EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.\n\n# Requirements\n\nevtx-hunter only runs on Windows due to its dependency on \n[EVTX Parsing](https://github.com/omerbenamram/EVTX) library, which is included in the tool. \n\nIt requires Python (tested in ``python 3.9`` but any version ``\u003e=python 3.0`` will most likely work).\n\n# Installation\n```\npip install -r requirements.txt\n```\n\n# Usage\n```\npython evtx_hunter.py \u003cevtx_folder\u003e\n```\nOnce the EVTX files have been processed, a link on the command line will be printed to view the\ngenerated report in your browser (typically http://127.0.0.1:8050/).\n\n# Roadmap\nWe plan to continuously improve this tool in a few different ways, based on our experience\nusing it during incidents where EVTX files require investigation:\n- Add new rules to spot new interesting activity in EVTX files;\n- Improve how the information is presented in the resulting report;\n- Make the reports interactive (live filtering \u0026 searching for example).\n\n# Contributions\nEveryone is invited to contribute! \n\nIf you are a user of the tool and  have a suggestion for a new feature or a bug to report,\nplease do so through the issue tracker.\n\n# Acknowledgements\nDeveloped by Daan Raman, [@NVISO_labs](https://twitter.com/nviso_labs)\n\n## External libraries\n- EVTX Parsing: https://github.com/omerbenamram/EVTX\n\n## License\nevtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3).\n[LICENSE](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvisosecurity%2Fevtx-hunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnvisosecurity%2Fevtx-hunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvisosecurity%2Fevtx-hunter/lists"}