{"id":13387903,"url":"https://github.com/sbousseaden/evtx-attack-samples","last_synced_at":"2025-03-13T12:32:14.598Z","repository":{"id":38308098,"uuid":"175782105","full_name":"sbousseaden/EVTX-ATTACK-SAMPLES","owner":"sbousseaden","description":"Windows Events Attack Samples","archived":false,"fork":false,"pushed_at":"2023-01-24T12:02:51.000Z","size":6348,"stargazers_count":2233,"open_issues_count":5,"forks_count":399,"subscribers_count":144,"default_branch":"master","last_synced_at":"2024-10-26T07:39:25.505Z","etag":null,"topics":["dataset","detection-engineering","dfir","evtx","mitre-attack","threat-hunting","windows-security","winlogbeat"],"latest_commit_sha":null,"homepage":"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sbousseaden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.GPL","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-03-15T08:45:44.000Z","updated_at":"2024-10-25T09:54:14.000Z","dependencies_parsed_at":"2023-02-13T21:01:45.016Z","dependency_job_id":null,"html_url":"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbousseaden%2FEVTX-ATTACK-SAMPLES","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbousseaden%2FEVTX-ATTACK-SAMPLES/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbousseaden%2FEVTX-ATTACK-SAMPLES/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbousseaden%2FEVTX-ATTACK-SAMPLES/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sbousseaden","download_url":"https://codeload.github.com/sbousseaden/EVTX-ATTACK-SAMPLES/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243405399,"owners_count":20285751,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dataset","detection-engineering","dfir","evtx","mitre-attack","threat-hunting","windows-security","winlogbeat"],"created_at":"2024-07-30T12:01:37.779Z","updated_at":"2025-03-13T12:32:13.157Z","avatar_url":"https://github.com/sbousseaden.png","language":"HTML","funding_links":[],"categories":["\u003ca id=\"ac43a3ce5a889d8b18cf22acb6c31a72\"\u003e\u003c/a\u003eETW"],"sub_categories":["\u003ca id=\"0af4bd8ca0fd27c9381a2d1fa8b71a1f\"\u003e\u003c/a\u003e工具"],"readme":"# Windows EVTX Samples [200 EVTX examples]:\n\n![alt text](https://raw.githubusercontent.com/sbousseaden/EVTX-ATTACK-SAMPLES/master/AIEvent.jpg)\n\nThis is a container for windows events samples associated to specific attack and post-exploitation techniques. \nCan be useful for:\n\n- Testing your detection scripts based on EVTX parsing\n\n- Training on DFIR and threat hunting using event logs\n\n- Designing detection use cases using Windows and Sysmon event logs\n\n- Avoid/Bypass the noisy techniques if you are a redteamer\n\nN.B: Mapping has been done to the level of ATT\u0026CK technique (not procedure).\n\nDetails of the EVTX content mapped to MITRE tactics can be found [here](http://bit.ly/2WpzQM4), stats summary:\n\n![alt text](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/raw/master/EVTX_DataSet_Stats.PNG)\n\n![alt text](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/raw/master/HeatMap.PNG)\n\nOverview of the covered TTPs using attack-navigator:\n\n![alt text](https://raw.githubusercontent.com/sbousseaden/EVTX-ATTACK-SAMPLES/master/mitre_evtx_repo_map.png)\n\n# Winlogbeat-Bulk-Read\nIncluded is a PowerShell script that can loop through, parse, and replay evtx files with [winlogbeat](https://www.elastic.co/downloads/beats/winlogbeat). \nThis can be useful to replay logs into an ELK stack or to a local file. By default this script will\noutput logs to .\\winlogbeat\\events.json as configured in the winlogbeat_example.yml file, \nyou can configure any of your own destinations in winlogbeat.yml (excluded from git) and the\nexample config file will be ignored if winlogbeat.yml is found.\n\nWinlogbeat-Bulk-Read Usage:\n```\n## Display help along with examples:\n.\\Winlogbeat-Bulk-Read.ps1 -Help\n\n## Run with defaults (read ./ recursively and look for winlogbeat.exe in your path):\n.\\Winlogbeat-Bulk-Read.ps1\n\n## If you want to point this script at another directory with evtx files and specify a path to the winlogbeat.exe binary:\n.\\Winlogbeat-Bulk-Read.ps1 -Exe ~\\Downloads\\winlogbeat\\winlogbeat.exe -Source \"..\\EVTX-ATTACK-SAMPLES\\\"\n```\n\n# License:\n\nEVTX_ATT\u0026CK's [GNU General Public License](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/LICENSE.GPL)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbousseaden%2Fevtx-attack-samples","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsbousseaden%2Fevtx-attack-samples","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbousseaden%2Fevtx-attack-samples/lists"}