Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/AhmedKamal1432/Evilize

Triaging Windows event logs based on SANS Poster
https://github.com/AhmedKamal1432/Evilize

dfir eventlogs events evt evtx incident-response sans

Last synced: 21 days ago
JSON representation

Triaging Windows event logs based on SANS Poster

Awesome Lists containing this project

README

        

[![Contributors][contributors-shield]][contributors-url]
[![Forks][forks-shield]][forks-url]
[![Stargazers][stars-shield]][stars-url]
[![Issues][issues-shield]][issues-url]
[![GPL License][license-shield]][license-url]
[![LinkedIn][linkedin-shield]][linkedin-url]





Logo


Hunting Evil by parsing Windows Event Logs files


Explore the docs »




Report Bug
·
Request Feature


Table of Contents



  1. About The Project


  2. Usage

  3. Roadmap

  4. Contributing

  5. License

  6. Contributers

  7. Acknowledgment

## About The Project

Tool GIF

An incident response tool parses Windows Event Logs to export infection-related logs across many log files. Mainly following [Hunt Evil SANS Poster](https://share.ialab.dsu.edu/CRRC/Incident%20Response/Supplementary%20Material/SANS_Poster_2018_Hunt_Evil_FINAL.pdf) to choose related events.

what's new:
* One command to analyze all different infection-related Event logs files.
* One Excel file for every SANS catagory with multiple sheets for every event ID
* Having a map of analysis based on different categories based on SANS Poster.
* Tables of statistics of the number of indicators in every infections vector.
* Export useful events with important attributes in CSV format for extra manual analysis.
* Analyizing EVT and EVTX files

(back to top)

### Built With
All Parsers are build with 2 different techniques:

* [LogParser](https://www.microsoft.com/en-eg/download/details.aspx?id=24659)
* This is the default option as it is a time-efficient and stable option.
* [WinEvent](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1)
* This is a flexible and programmable option as you can add your own code for extra analysis.
* Use the `-winevent` parameter to parse the logs by WinEvent

(back to top)

## Usage

* Clone the repo Or download it as Zip file then extract it
```sh
git clone https://github.com/AhmedKamal1432/Evilize.git
```
* Change Directory to the Repo Folder
* Run the .\Evilize.ps1 with the path to Events logs files
```PS
.\Evilize.ps1 "C:\Users\username\Downloads\Events\EventLogs\" -security
```
* Don't run it on the local log files in "C:\Windows\System32\winevt\Logs"
* The tool creates a `Results` folder for csv/xlsx files inside the Event logs path.
* ![Excel sheet](https://user-images.githubusercontent.com/7649285/139496004-027cbf27-faf7-41cd-b840-26802756fbf8.gif)
* For using Winevent insteed of logparser to parse the same logs, use the `winevent` parameter
```PS
.\Evilize.ps1 -winevent "C:\Users\username\Downloads\Events\EventLogs\"
```

* _For more examples, please refer to the [Wiki](https://github.com/AhmedKamal1432/Evilize/wiki)_

(back to top)

## Roadmap

- [v1.1.0] Implement Source events parsers
- [v1.2.0] Multithreaded parsers
- [v1.2.0] Date/Time filters

See the [open issues](https://github.com/AhmedKamal1432/Evilize/issues) for a full list of proposed features (and known issues).

(back to top)

## Contributing

Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)
3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the Branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request

(back to top)

## License

Distributed under the GPL-3.0 License. See `LICENSE.txt` for more information.

(back to top)

## Contributers
* [Sayed Omar](https://github.com/sayedomarr)
* [Magy Gamal](https://github.com/MagyGamal)
* [Ahmed Kamal](https://github.com/AhmedKamal1432)

## Acknowledgments

* [SANS](https://www.sans.org/)
* [Best-README-Template](https://github.com/othneildrew/Best-README-Template)
* [Parserator](https://github.com/psanchezcordero/Parserator/blob/main/Parserator.ps1)

(back to top)

[contributors-shield]: https://img.shields.io/github/contributors/AhmedKamal1432/Evilize.svg?style=for-the-badge
[contributors-url]: https://github.com/AhmedKamal1432/Evilize/contributors
[forks-shield]: https://img.shields.io/github/forks/AhmedKamal1432/Evilize.svg?style=for-the-badge
[forks-url]: https://github.com/AhmedKamal1432/Evilize/network/members
[stars-shield]: https://img.shields.io/github/stars/AhmedKamal1432/Evilize.svg?style=for-the-badge
[stars-url]: https://github.com/AhmedKamal1432/Evilize/stargazers
[issues-shield]: https://img.shields.io/github/issues/AhmedKamal1432/Evilize.svg?style=for-the-badge
[issues-url]: https://github.com/AhmedKamal1432/Evilize/issues
[license-shield]: https://img.shields.io/github/license/AhmedKamal1432/Evilize.svg?style=for-the-badge
[license-url]: https://github.com/AhmedKamal1432/Evilize/blob/main/LICENSE
[linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=555
[linkedin-url]: https://linkedin.com/in/ahmed-kamal1432
[product-screenshot]: images/screenshot.png