https://github.com/nvisosecurity/evtx-hunter
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
https://github.com/nvisosecurity/evtx-hunter
csirt evtx incident-response infosec netsec threat-hunting
Last synced: 11 months ago
JSON representation
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
- Host: GitHub
- URL: https://github.com/nvisosecurity/evtx-hunter
- Owner: NVISOsecurity
- License: gpl-3.0
- Archived: true
- Created: 2021-05-25T21:45:51.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2021-11-30T00:00:14.000Z (over 4 years ago)
- Last Synced: 2025-03-31T07:14:52.830Z (about 1 year ago)
- Topics: csirt, evtx, incident-response, infosec, netsec, threat-hunting
- Language: Python
- Homepage:
- Size: 1.1 MB
- Stars: 151
- Watchers: 10
- Forks: 26
- Open Issues: 2
-
Metadata Files:
- Readme: readme.md
- License: LICENSE
Awesome Lists containing this project
README
# Introduction
**evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.**
It can process a high number of events quickly, making it suitable for use during investigations and hunting
activities across a high number of collected events.
# What is evtx-hunter
evtx-hunter is a Python tool that generates a web report of interesting activity observed
in EVTX files. The tool comes with a few predefined rules to help you get going. This includes
rules to spot for example:
- The first time a certain DNS domain is queried;
- The first time a certain process is launched;
- New service installations;
- User account lockouts;
- ...
New use cases can easily be added to support your use case:
- ``rules/first_occurence.json``: monitor the first time something happens that matches the rule, such as installing
a new (malicious) service or using a compromised user account.
- ``rules/interesting_events.json``: monitor each time something happens that matches the rule, such as clearing
the audit log or installing a new service.
# Why evtx-hunter?
We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during
incident response activities.
We love tools like [Event Log Explorer](https://eventlogxp.com/)
and [Evtx Explorer](https://isc.sans.edu/forums/diary/Introduction+to+EvtxEcmd+Evtx+Explorer/25858/) but found them
most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number
of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.
# Requirements
evtx-hunter only runs on Windows due to its dependency on
[EVTX Parsing](https://github.com/omerbenamram/EVTX) library, which is included in the tool.
It requires Python (tested in ``python 3.9`` but any version ``>=python 3.0`` will most likely work).
# Installation
```
pip install -r requirements.txt
```
# Usage
```
python evtx_hunter.py
```
Once the EVTX files have been processed, a link on the command line will be printed to view the
generated report in your browser (typically http://127.0.0.1:8050/).
# Roadmap
We plan to continuously improve this tool in a few different ways, based on our experience
using it during incidents where EVTX files require investigation:
- Add new rules to spot new interesting activity in EVTX files;
- Improve how the information is presented in the resulting report;
- Make the reports interactive (live filtering & searching for example).
# Contributions
Everyone is invited to contribute!
If you are a user of the tool and have a suggestion for a new feature or a bug to report,
please do so through the issue tracker.
# Acknowledgements
Developed by Daan Raman, [@NVISO_labs](https://twitter.com/nviso_labs)
## External libraries
- EVTX Parsing: https://github.com/omerbenamram/EVTX
## License
evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3).
[LICENSE](LICENSE)