Skip to content
This repository has been archived by the owner on Apr 14, 2024. It is now read-only.

NVISOsecurity/evtx-hunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

app

app

 
 

documentation/screenshots

documentation/screenshots

 
 

external

external

 
 

rules

rules

 
 

stylesheets

stylesheets

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

readme.md

readme.md

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Introduction

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

It can process a high number of events quickly, making it suitable for use during investigations and hunting activities across a high number of collected events.

Report header Example of a first time detection

What is evtx-hunter

evtx-hunter is a Python tool that generates a web report of interesting activity observed in EVTX files. The tool comes with a few predefined rules to help you get going. This includes rules to spot for example:

  • The first time a certain DNS domain is queried;
  • The first time a certain process is launched;
  • New service installations;
  • User account lockouts;
  • ...

New use cases can easily be added to support your use case:

  • rules/first_occurence.json: monitor the first time something happens that matches the rule, such as installing a new (malicious) service or using a compromised user account.

  • rules/interesting_events.json: monitor each time something happens that matches the rule, such as clearing the audit log or installing a new service.

Why evtx-hunter?

We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during incident response activities. We love tools like Event Log Explorer and Evtx Explorer but found them most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.

Requirements

evtx-hunter only runs on Windows due to its dependency on EVTX Parsing library, which is included in the tool.

It requires Python (tested in python 3.9 but any version >=python 3.0 will most likely work).

Installation

pip install -r requirements.txt

Usage

python evtx_hunter.py <evtx_folder>

Once the EVTX files have been processed, a link on the command line will be printed to view the generated report in your browser (typically http://127.0.0.1:8050/).

Roadmap

We plan to continuously improve this tool in a few different ways, based on our experience using it during incidents where EVTX files require investigation:

  • Add new rules to spot new interesting activity in EVTX files;
  • Improve how the information is presented in the resulting report;
  • Make the reports interactive (live filtering & searching for example).

Contributions

Everyone is invited to contribute!

If you are a user of the tool and have a suggestion for a new feature or a bug to report, please do so through the issue tracker.

Acknowledgements

Developed by Daan Raman, @NVISO_labs

External libraries

License

evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3). LICENSE

About

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Topics

incident-response csirt infosec threat-hunting netsec evtx

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

140 stars

Watchers

10 watching

Forks

25 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages