NVISOsecurity/evtx-hunter NVISOsecurity/evtx-hunter

  • Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
NVISOsecurity/evtx-hunter
github

NVISOsecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

It can process a high number of events quickly, making it suitable for use during investigations and hunting activities across a high number of collected events.

Report header Example of a first time detection

What is evtx-hunter

evtx-hunter is a Python tool that generates a web report of interesting activity observed in EVTX files. The tool comes with a few predefined rules to help you get going. This includes rules to spot for example:

  • The first time a certain DNS domain is queried;
  • The first time a certain process is launched;
  • New service installations;
  • User account lockouts;
  • ...

New use cases can easily be added to support your use case:

  • rules/first_occurence.json: monitor the first time something happens that matches the rule, such as installing a new (malicious) service or using a compromised user account.

  • rules/interesting_events.json: monitor each time something happens that matches the rule, such as clearing the audit log or installing a new service.

Why evtx-hunter?

We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during incident response activities. We love tools like Event Log Explorer and Evtx Explorer but found them most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.

Requirements

evtx-hunter only runs on Windows due to its dependency on EVTX Parsing library, which is included in the tool.

It requires Python (tested in python 3.9 but any version >=python 3.0 will most likely work).

Installation

pip install -r requirements.txt

Usage

python evtx_hunter.py <evtx_folder>

Once the EVTX files have been processed, a link on the command line will be printed to view the generated report in your browser (typically http://127.0.0.1:8050/).

Roadmap

We plan to continuously improve this tool in a few different ways, based on our experience using it during incidents where EVTX files require investigation:

  • Add new rules to spot new interesting activity in EVTX files;
  • Improve how the information is presented in the resulting report;
  • Make the reports interactive (live filtering & searching for example).

Contributions

Everyone is invited to contribute!

If you are a user of the tool and have a suggestion for a new feature or a bug to report, please do so through the issue tracker.

Acknowledgements

Developed by Daan Raman, @NVISO_labs

External libraries

License

evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3). LICENSE

More Repositories

1

MagiskTrustUserCerts

A Magisk/KernelSU module that automatically adds user certificates to the system root CA store
Shell
1,519
star
2

posh-dsc-windows-hardening

Windows OS Hardening with PowerShell DSC
PowerShell
257
star
3

disable-flutter-tls-verification

A Frida script that disables Flutter's TLS verification
C++
241
star
4

CobaltWhispers

CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWhispers2) to bypass EDR/AV
C
218
star
5

ee-outliers

Open-source framework to detect outliers in Elasticsearch events
Python
205
star
6

binsnitch

Detect silent (unwanted) changes to files on your system
Python
153
star
7

pyCobaltHound

pyCobaltHound is an Aggressor script extension for Cobalt Strike which aims to provide a deep integration between Cobalt Strike and Bloodhound.
Python
136
star
8

frida-ios-playground

An iOS app that lets you practice your Frida skills
Swift
126
star
9

Interceptor

Interceptor is a kernel driver focused on tampering with EDR/AV solutions in kernel space
C++
115
star
10

brown-bags

C#
108
star
11

IOXY

MQTT intercepting proxy
Go
97
star
12

decompile-py2exe

Decompile py2exe Python 3 generated EXEs
Python
92
star
13

DInvisibleRegistry

DInvisibleRegistry
C#
81
star
14

blogposts

A repo to house files for our blogposts on blog.nviso.eu
C++
60
star
15

cs2br-bof

C
59
star
16

codasm

Payload encoding utility to effectively lower payload entropy.
Python
53
star
17

cyber-security-llm-agents

A collection of agents that use Large Language Models (LLMs) to perform tasks common on our day to day jobs in cyber security.
Jupyter Notebook
52
star
18

nviso-cti

YARA
40
star
19

nexus_5_bootloader_unpacker

A bootloader imgdata unpacker for Nexus 4, 5 and 7 smartphones as well as imgdata tool for Nexus 5.
C
25
star
20

FileSearcher

C#
22
star
21

logalert.py

Smart piping of command output to email for alerting.
Python
21
star
22

DLLoader

C++
16
star
23

SEC599-Resources

16
star
24

SEC599

SEC599 supporting GitHub repository
Shell
15
star
25

VerifiedBootRPi3

Verified Boot for RPi3
14
star
26

cobalt-strike-notifier

Python
13
star
27

YARA

Repository of YARA rules developed by NVISO
11
star
28

ansible-velociraptor

Ansible role for Velociraptor EDR
9
star
29

cloud-security-automation

PowerShell scripts used in the "Incident response in the cloud/ foggy with a ray of sunshine" conference talk
PowerShell
8
star
30

ansible-sysmon

Ansible role for sysmon
7
star
31

ansible-auditbeat

Ansible role for auditbeat install
7
star
32

ansible-thehive

Ansible role for installing The Hive & Cortex
6
star
33

BitSight-Automation-Tool

BitSight Automation was developed to automate certain manual procedures and extract information such as ratings, assets, findings, etc. This tool also provides the possibility to collaborate with Scheduled Tasks and cronjobs.
Python
6
star
34

ansible-windowslogconfig

Ansible role for configuring Windows security logs
5
star
35

ansible-caldera

Ansible role for MITRE caldera
5
star
36

assemblyline-service-cape

Assemblyline service build for CAPE's API
Python
4
star
37

ansible-elk

Ansible role for ELK stack install
4
star
38

ansible-winlogbeat

Ansible role for WinLogBeat
4
star
39

assemblyline-service-python-exe-unpacker

Python exe unpacker service
Python
3
star
40

ansible-covenant

Ansible role for Covenant
3
star
41

assemblyline-service-urlscanio

URLScan.io AL service
Python
3
star
42

assemblyline-service-clamav

Assemblyline service which submits a file to ClamAV and displays the result
Python
2
star
43

assemblyline-service-msg-extractor

Simple MSG extractor AssemblyLine service
Python
2
star
44

ansible-nexusrepo

Ansible role for Nexus Repository OSS
2
star
45

assemblyline-service-steg-finder

AssemblyLine service which scans for embedded data in image using StegExpose
Python
2
star
46

assemblyline-service-malware-bazaar

Assemblyline service fetching Malware Bazaar report
Python
2
star
47

caldex

Caldera exportation plugin to the MITRE ATT&CKâ„¢ Navigator.
Python
2
star
48

assemblyline-service-autoit-ripper

AutoIt unpacker service
Python
1
star
49

assemblyline-service-unfurl

Assemblyline service parsing a submitted URL to unshorten it.
Python
1
star
50

cortex.xsoar

The cortex.xsoar collection includes Ansible modules to help automate the management of Palo Alto Cortex XSOAR.
Python
1
star