Skip to content
/ sentinela Public

A simplified EVTX file parser wrapping 0xrawsec's golang-evtx module

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

KnightChaser/sentinela

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
sentinela.go
sentinela.go
 
 
sysmonEventReference.go
sysmonEventReference.go
 
 

Repository files navigation

sentinela

A simplified EVTX file parser wrapping 0xrawsec's golang-evtx module

Parse EVTX file to JSON

Install

go get -u "https://github.com/KnightChaser/sentinela"

Example Usage

  • Import sentinela
  • Prepare a filepath of target EVTX file(*.evtx). In case of Sysmon(System Monitor) running on Windows, the filepath will be C:/Windows/System32/winevt/Logs/icrosoft-Windows-Sysmon%4Operational.evtx generally.
  • call sentinela.ParseEVTX() to parse the given EVTX file. It will return the list of JSONified text of EVTX event element in the struct sentinela.SysmonEventStats.Event. Because parsed data is type of JSON, you can easily integrate with Golang JSON module like gjson(Go JSON).
// SysmonEventStats represents the statistics for a particular event.
type SysmonEventStats struct {
	Event []string // Parsed representation of the events
}
  • Example code
package main

import (
	"fmt"
	"log"

	"github.com/KnightChaser/sentinela"
	"github.com/tidwall/gjson"
)

func main() {
  // Sysmon(System Monitor) log file in Windows
	defaultWindowsLogDirectory := "C:/Windows/System32/winevt/Logs/"
	evtxFileName := "Microsoft-Windows-Sysmon%4Operational.evtx"
	sysmonEvtxFile := fmt.Sprintf("%s%s", defaultWindowsLogDirectory, evtxFileName)

	stats, err := sentinela.ParseEVTX(sysmonEvtxFile)
	if err != nil {
		log.Fatal(err)
	}

	// Display the statistics
	for _, stat := range stats.Event {
		fmt.Println(gjson.Get(stat, "Event.System"))
		fmt.Println("=========================================================================")
	}
}
  • The output of example code
PS C:\Users\3NR1QUE\Downloads\test> go run main.go
{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"Klojure","Correlation":{},"EventID":"10","EventRecordID":"408269","Execution":{"ProcessID":"7332","ThreadID":"9404"},"Keywords":"0x8000000000000000","Level":"4","Opcode":"0","Provider":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security":{"UserID":"S-1-5-18"},"Task":"10","TimeCreated":{"SystemTime":"2024-01-25T03:36:31.8616887Z"},"Version":"3"}
=========================================================================
(The rest of Sysmon event will be printed as Jsonified struct...)

Note for Sysmon EVTX parsing

Because sentinela is a wrapper module of 0xrawsec's golang-evtx for simplicity, the parsed EVTX event will have a form of golang-evtx. It will have form like below. A single Sysmon event in EVTX log file has a struct of Event which has EventData(Structure is different depending on the EventID) and System(The common system data for every event). You can take a look at sysmonEventReference.go to view EVTX struct in every possible Sysmon event.

Parsed Sysmon EVTX file(Microsoft-Windows-Sysmon%4Operational.evtx) will look like below. The below example is an event whose eventID is 13, meaning "RegistryEvent, Value set".

{
  "Event": {
    "EventData": {
      "Details": "Binary Data",
      "EventType": "SetValue",
      "Image": "C:\\Users\\3NR1QUE\\AppData\\Local\\GitHubDesktop\\app-3.3.8\\resources\\app\\git\\cmd\\git.exe",
      "ProcessGuid": "0B7407AF-DD5F-65B1-F51C-000000009101",
      "ProcessId": "41580",
      "RuleName": "-",
      "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-1836537592-2113019385-3592195212-1001\\\\Device\\HarddiskVolume3\\Windows\\System32\\conhost.exe",
      "User": "KLOJURE\\LUEX",
      "UtcTime": "2024-01-25 04:02:39.777"
    },
    "System": {
      "Channel": "Microsoft-Windows-Sysmon/Operational",
      "Computer": "Klojure",
      "Correlation": {},
      "EventID": "13",
      "EventRecordID": "421022",
      "Execution": {
        "ProcessID": "7332",
        "ThreadID": "9404"
      },
      "Keywords": "0x8000000000000000",
      "Level": "4",
      "Opcode": "0",
      "Provider": {
        "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
        "Name": "Microsoft-Windows-Sysmon"
      },
      "Security": {
        "UserID": "S-1-5-18"
      },
      "Task": "13",
      "TimeCreated": {
        "SystemTime": "2024-01-25T04:02:39.7802812Z"
      },
      "Version": "2"
    }
  }
}

Or you can just export EVTX file to JSON file directly.

package main

import (
	"github.com/KnightChaser/sentinela"
)

func main() {
	sentinela.ParseEVTXtoJSON("C:\\Users\\3NR1QUE\\Downloads\\example_000.evtx",
		"C:\\Users\\3NR1QUE\\Downloads\\example_000_sentinela_converted.json")
}

(TIP) Install Sysmon

Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\Windows\config.xml
  • Start Sysmon with the prepared configuration file.
./Sysmon64.exe –accepteula –i C:\Windows\config.xml   # 64 bits
./Sysmon.exe -accepteula -i C:\Windows\config.xml     # 32 bits

About

A simplified EVTX file parser wrapping 0xrawsec's golang-evtx module

Topics

go opensource parsing sysmon evtx

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages