Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Last Activity View
  • Evtx analysis
  • DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI
  • WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA
  • EventID - Windows Events Search
  • APT-Hunter
  • Outlook files analysis
  • Stellar OST Viewer
  • View .msg files (from Outlook)
  • LogonTracer
  • Import larger 'security.evtx' files and parse them before
  • Dump Security EVTX files from Collectors ZIP files
  • Import the XML into LogonTracer

Was this helpful?

  1. Resources

Windows EventViewer Analysis | DFIR

Previousamcache.hveNextPrevent Windows shutdown after license expire

Last updated 5 months ago

Was this helpful?

In this article, we will show you some approaches to analyze some activity on Windows events

Last Activity View

Other tools from NirSoft can be observed and downloaded here.

Evtx analysis

  1. Create a new filter with the type of event ID or events between a specific date.

2. After create it, click on context menu and "Save As ...".

  1. Use a specific tool to analyze the logs.

Examples

DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI

WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA

EventID - Windows Events Search

APT-Hunter

Outlook files analysis

Stellar OST Viewer

View .msg files (from Outlook)

LogonTracer

Installation: Usage Neo4j 4.4.26

./neo4j console

LogonTracer:

python -m venv venv
source venv/bin/activate

$ pip3 install -r LogonTracer/requirements.txt

See installation manual: https://github.com/JPCERTCC/LogonTracer/wiki/for-linux

python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost

[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
 * Serving Flask app 'logontracer'
 * Debug mode: off

Acess: http://localhost:8081

Now load security.evtx logs from Windows.

Import larger 'security.evtx' files and parse them before

In some cases, we need to parse evtx files because a lot of junk is imported.

I created a rust script capable of filter larger files:

Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>

Options:
  -i, --input-path <INPUT_PATH>    Path to the .evtx file or directory
  -o, --output-file <OUTPUT_FILE>  Path to the output XML file
  -u, --users-file <USERS_FILE>    Path to the file with the list of owned users (optional)
  -s, --start-date <START_DATE>    Start date for filtering logs (format: YYYY-MM-DD) (optional)
  -e, --end-date <END_DATE>        End date for filtering logs (format: YYYY-MM-DD) (optional)
  -t, --threads <THREADS>          Optional number of threads (default is system maximum) [default: 12]
  -h, --help                       Print help
  -V, --version                    Print version

We can use an auxiliary file with owned users (users line by line).

./evtx_to_xml --input-path evtx_folder/ --output-file output.xml -u owned_users.txt --start-date 2024-03-18 --end-date 2024-08-26

Loading owned users from: owned_users.txt
Writing matched events to output file: output.xml
Processing EVTX file: security_evtx/1-Security.evtx
Processing EVTX file: security_evtx/2-Security.evtx
Processing EVTX file: security_evtx/3-Security.evtx
Processing EVTX file: security_evtx/4-Security.evtx
Processing EVTX file: security_evtx/5-Security.evtx
Processing EVTX file: security_evtx/6-Security.evtx
(..)

Download the binary file from releases:

Dump Security EVTX files from Collectors ZIP files

import zipfile
import os
import shutil

# Lista das pastas
folders = [
    "cxxxx000031/",
    "Cxxxx00010CV/"
]

# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)

# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
    # Localizar qualquer arquivo ZIP que comece com "Collection-"
    for filename in os.listdir(folder):
        if filename.startswith("Collection-") and filename.endswith(".zip"):
            zip_path = os.path.join(folder, filename)
            prefix = os.path.basename(os.path.normpath(folder))  # Prefixo com o nome da pasta

            with zipfile.ZipFile(zip_path, 'r') as zip_ref:
                # Procurar o ficheiro Security.evtx dentro do ZIP
                for file in zip_ref.namelist():
                    if "Security.evtx" in file:
                        # Extrair e renomear o ficheiro com o prefixo da pasta
                        output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
                        with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
                            shutil.copyfileobj(source, target)
                        print(f"Extraído: {output_file_path}")
                        break  # Parar após encontrar o Security.evtx
            break  # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"

Import the XML into LogonTracer

Before import the XML file, just one line needs to be updated on the logontracer.py:

Replace this: #if xml.startswith("<System>"

to:

if (xml.strip()).startswith('<System>'):):

After this change, upload the file and enjoy :)

LogoEvent Log Security - Windows Event Search
LogoGitHub - lolo101/MsgViewer: MsgViewer is email-viewer utility for .msg e-mail messages, implemented in pure Java. MsgViewer works on Windows/Linux/Mac Platforms. Also provides a java api to read mail messges (msg files) programmatically.GitHub
LogoGitHub - JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event logGitHub
https://www.nirsoft.net/utils/computer_activity_view.html
LogoGitHub - sirpedrotavares/evtx_to_xml: evtx_to_xmlGitHub
LogoDeepBlueCLI – PowerShell Module for Threat Hunting - Security InvestigationSecurity Investigation - Be the first to investigate