Evtx hunter
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
**evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.** The project is written primarily in Python, distributed under the GNU General Public License v3.0 license, first published in 2021. Key topics include: csirt, evtx, incident-response, infosec, netsec.
Introduction
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
It can process a high number of events quickly, making it suitable for use during investigations and hunting
activities across a high number of collected events.
What is evtx-hunter
evtx-hunter is a Python tool that generates a web report of interesting activity observed
in EVTX files. The tool comes with a few predefined rules to help you get going. This includes
rules to spot for example:
- The first time a certain DNS domain is queried;
- The first time a certain process is launched;
- New service installations;
- User account lockouts;
- ...
New use cases can easily be added to support your use case:
-
rules/first_occurence.json: monitor the first time something happens that matches the rule, such as installing
a new (malicious) service or using a compromised user account. -
rules/interesting_events.json: monitor each time something happens that matches the rule, such as clearing
the audit log or installing a new service.
Why evtx-hunter?
We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during
incident response activities.
We love tools like Event Log Explorer
and Evtx Explorer but found them
most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number
of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.
Requirements
evtx-hunter only runs on Windows due to its dependency on
EVTX Parsing library, which is included in the tool.
It requires Python (tested in python 3.9 but any version >=python 3.0 will most likely work).
Installation
pip install -r requirements.txt
Usage
python evtx_hunter.py <evtx_folder>
Once the EVTX files have been processed, a link on the command line will be printed to view the
generated report in your browser (typically http://127.0.0.1:8050/).
Roadmap
We plan to continuously improve this tool in a few different ways, based on our experience
using it during incidents where EVTX files require investigation:
- Add new rules to spot new interesting activity in EVTX files;
- Improve how the information is presented in the resulting report;
- Make the reports interactive (live filtering & searching for example).
Contributions
Everyone is invited to contribute!
If you are a user of the tool and have a suggestion for a new feature or a bug to report,
please do so through the issue tracker.
Acknowledgements
Developed by Daan Raman, @NVISO_labs
External libraries
- EVTX Parsing: https://github.com/omerbenamram/EVTX
License
evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3).
LICENSE
Contributors
Showing top 2 contributors by commit count.
Related Repositories
cyb3rxp/awesome-soc
A curated knowledge base to build, run and mature a SOC (including CSIRT).
certtools/intelmq
IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.
Spacial/awesome-csirt
Awesome CSIRT is an curated list of links and resources in security and CSIRT daily activities.
CERT-Polska/karton
Distributed malware processing framework based on Python, Redis and S3.
CERTCC/VINCE
VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.
adulau/DomainClassifier
DomainClassifier is a Python (2/3) library to extract and classify Internet domains/hostnames/IP addresses from raw unstructured text files following their DNS existence, localization or attributes.