Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/AhmedKamal1432/Evilize
Triaging Windows event logs based on SANS Poster
https://github.com/AhmedKamal1432/Evilize
dfir eventlogs events evt evtx incident-response sans
Last synced: about 1 month ago
JSON representation
Triaging Windows event logs based on SANS Poster
- Host: GitHub
- URL: https://github.com/AhmedKamal1432/Evilize
- Owner: AhmedKamal1432
- License: gpl-3.0
- Created: 2021-09-19T13:18:17.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-01-07T10:59:02.000Z (over 1 year ago)
- Last Synced: 2024-06-06T20:01:08.572Z (3 months ago)
- Topics: dfir, eventlogs, events, evt, evtx, incident-response, sans
- Language: PowerShell
- Homepage:
- Size: 6.68 MB
- Stars: 36
- Watchers: 5
- Forks: 7
- Open Issues: 10
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - AhmedKamal1432/Evilize - Triaging Windows event logs based on SANS Poster (PowerShell)
README
[![Contributors][contributors-shield]][contributors-url]
[![Forks][forks-shield]][forks-url]
[![Stargazers][stars-shield]][stars-url]
[![Issues][issues-shield]][issues-url]
[![GPL License][license-shield]][license-url]
[![LinkedIn][linkedin-shield]][linkedin-url]
Table of Contents
## About The Project
An incident response tool parses Windows Event Logs to export infection-related logs across many log files. Mainly following [Hunt Evil SANS Poster](https://share.ialab.dsu.edu/CRRC/Incident%20Response/Supplementary%20Material/SANS_Poster_2018_Hunt_Evil_FINAL.pdf) to choose related events.
what's new:
* One command to analyze all different infection-related Event logs files.
* One Excel file for every SANS catagory with multiple sheets for every event ID
* Having a map of analysis based on different categories based on SANS Poster.
* Tables of statistics of the number of indicators in every infections vector.
* Export useful events with important attributes in CSV format for extra manual analysis.
* Analyizing EVT and EVTX files
### Built With
All Parsers are build with 2 different techniques:
* [LogParser](https://www.microsoft.com/en-eg/download/details.aspx?id=24659)
* This is the default option as it is a time-efficient and stable option.
* [WinEvent](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1)
* This is a flexible and programmable option as you can add your own code for extra analysis.
* Use the `-winevent` parameter to parse the logs by WinEvent
## Usage
* Clone the repo Or download it as Zip file then extract it
```sh
git clone https://github.com/AhmedKamal1432/Evilize.git
```
* Change Directory to the Repo Folder
* Run the .\Evilize.ps1 with the path to Events logs files
```PS
.\Evilize.ps1 "C:\Users\username\Downloads\Events\EventLogs\" -security
```
* Don't run it on the local log files in "C:\Windows\System32\winevt\Logs"
* The tool creates a `Results` folder for csv/xlsx files inside the Event logs path.
* 
* For using Winevent insteed of logparser to parse the same logs, use the `winevent` parameter
```PS
.\Evilize.ps1 -winevent "C:\Users\username\Downloads\Events\EventLogs\"
```
* _For more examples, please refer to the [Wiki](https://github.com/AhmedKamal1432/Evilize/wiki)_
## Roadmap
- [v1.1.0] Implement Source events parsers
- [v1.2.0] Multithreaded parsers
- [v1.2.0] Date/Time filters
See the [open issues](https://github.com/AhmedKamal1432/Evilize/issues) for a full list of proposed features (and known issues).
## Contributing
Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
Don't forget to give the project a star! Thanks again!
1. Fork the Project
2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)
3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the Branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request
## License
Distributed under the GPL-3.0 License. See `LICENSE.txt` for more information.
## Contributers
* [Sayed Omar](https://github.com/sayedomarr)
* [Magy Gamal](https://github.com/MagyGamal)
* [Ahmed Kamal](https://github.com/AhmedKamal1432)
## Acknowledgments
* [SANS](https://www.sans.org/)
* [Best-README-Template](https://github.com/othneildrew/Best-README-Template)
* [Parserator](https://github.com/psanchezcordero/Parserator/blob/main/Parserator.ps1)
[contributors-shield]: https://img.shields.io/github/contributors/AhmedKamal1432/Evilize.svg?style=for-the-badge
[contributors-url]: https://github.com/AhmedKamal1432/Evilize/contributors
[forks-shield]: https://img.shields.io/github/forks/AhmedKamal1432/Evilize.svg?style=for-the-badge
[forks-url]: https://github.com/AhmedKamal1432/Evilize/network/members
[stars-shield]: https://img.shields.io/github/stars/AhmedKamal1432/Evilize.svg?style=for-the-badge
[stars-url]: https://github.com/AhmedKamal1432/Evilize/stargazers
[issues-shield]: https://img.shields.io/github/issues/AhmedKamal1432/Evilize.svg?style=for-the-badge
[issues-url]: https://github.com/AhmedKamal1432/Evilize/issues
[license-shield]: https://img.shields.io/github/license/AhmedKamal1432/Evilize.svg?style=for-the-badge
[license-url]: https://github.com/AhmedKamal1432/Evilize/blob/main/LICENSE
[linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=555
[linkedin-url]: https://linkedin.com/in/ahmed-kamal1432
[product-screenshot]: images/screenshot.png
