Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
    • Doppelganger: Cloning and Dumping LSASS (Win11)
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Last Activity View
  • Evtx analysis
  • DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI
  • WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA
  • EventID - Windows Events Search
  • APT-Hunter
  • Outlook files analysis
  • Stellar OST Viewer
  • View .msg files (from Outlook)
  • LogonTracer
  • Import larger 'security.evtx' files and parse them before
  • Dump Security EVTX files from Collectors ZIP files
  • Import the XML into LogonTracer

Was this helpful?

  1. Resources

Windows EventViewer Analysis | DFIR

Previousamcache.hveNextPrevent Windows shutdown after license expire

Last updated 7 months ago

Was this helpful?

In this article, we will show you some approaches to analyze some activity on Windows events

Last Activity View

Evtx analysis

  1. Create a new filter with the type of event ID or events between a specific date.

2. After create it, click on context menu and "Save As ...".

  1. Use a specific tool to analyze the logs.

Examples

EventID - Windows Events Search

Outlook files analysis

View .msg files (from Outlook)

LogonTracer

Installation: Usage Neo4j 4.4.26

./neo4j console

LogonTracer:

python -m venv venv
source venv/bin/activate

$ pip3 install -r LogonTracer/requirements.txt
python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost

[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
 * Serving Flask app 'logontracer'
 * Debug mode: off

Acess: http://localhost:8081

Now load security.evtx logs from Windows.

Import larger 'security.evtx' files and parse them before

In some cases, we need to parse evtx files because a lot of junk is imported.

I created a rust script capable of filter larger files:

Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>

Options:
  -i, --input-path <INPUT_PATH>    Path to the .evtx file or directory
  -o, --output-file <OUTPUT_FILE>  Path to the output XML file
  -u, --users-file <USERS_FILE>    Path to the file with the list of owned users (optional)
  -s, --start-date <START_DATE>    Start date for filtering logs (format: YYYY-MM-DD) (optional)
  -e, --end-date <END_DATE>        End date for filtering logs (format: YYYY-MM-DD) (optional)
  -t, --threads <THREADS>          Optional number of threads (default is system maximum) [default: 12]
  -h, --help                       Print help
  -V, --version                    Print version

We can use an auxiliary file with owned users (users line by line).

./evtx_to_xml --input-path evtx_folder/ --output-file output.xml -u owned_users.txt --start-date 2024-03-18 --end-date 2024-08-26

Loading owned users from: owned_users.txt
Writing matched events to output file: output.xml
Processing EVTX file: security_evtx/1-Security.evtx
Processing EVTX file: security_evtx/2-Security.evtx
Processing EVTX file: security_evtx/3-Security.evtx
Processing EVTX file: security_evtx/4-Security.evtx
Processing EVTX file: security_evtx/5-Security.evtx
Processing EVTX file: security_evtx/6-Security.evtx
(..)

Download the binary file from releases:

Dump Security EVTX files from Collectors ZIP files

import zipfile
import os
import shutil

# Lista das pastas
folders = [
    "cxxxx000031/",
    "Cxxxx00010CV/"
]

# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)

# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
    # Localizar qualquer arquivo ZIP que comece com "Collection-"
    for filename in os.listdir(folder):
        if filename.startswith("Collection-") and filename.endswith(".zip"):
            zip_path = os.path.join(folder, filename)
            prefix = os.path.basename(os.path.normpath(folder))  # Prefixo com o nome da pasta

            with zipfile.ZipFile(zip_path, 'r') as zip_ref:
                # Procurar o ficheiro Security.evtx dentro do ZIP
                for file in zip_ref.namelist():
                    if "Security.evtx" in file:
                        # Extrair e renomear o ficheiro com o prefixo da pasta
                        output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
                        with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
                            shutil.copyfileobj(source, target)
                        print(f"Extraído: {output_file_path}")
                        break  # Parar após encontrar o Security.evtx
            break  # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"

Import the XML into LogonTracer

Before import the XML file, just one line needs to be updated on the logontracer.py:

Replace this: #if xml.startswith("<System>"

to:

if (xml.strip()).startswith('<System>'):):

After this change, upload the file and enjoy :)

Other tools from NirSoft can be observed and downloaded .

DeepBlueCLI:

WELA (Windows Event Log Analyzer):

See installation manual:

here
https://github.com/sans-blue-team/DeepBlueCLI
https://github.com/Yamato-Security/WELA
APT-Hunter
Stellar OST Viewer
https://github.com/JPCERTCC/LogonTracer/wiki/for-linux
DeepBlueCLI – PowerShell Module for Threat Hunting - Security InvestigationSecurity Investigation - Be the first to investigate
Logo
Event Log Security - Windows Event Search
GitHub - lolo101/MsgViewer: MsgViewer is email-viewer utility for .msg e-mail messages, implemented in pure Java. MsgViewer works on Windows/Linux/Mac Platforms. Also provides a java api to read mail messges (msg files) programmatically.GitHub
GitHub - JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event logGitHub
GitHub - sirpedrotavares/evtx_to_xml: evtx_to_xmlGitHub
https://www.nirsoft.net/utils/computer_activity_view.html
Logo
Logo
Logo
Logo