Skip to content
This repository has been archived by the owner on Apr 14, 2024. It is now read-only.
/ evtx-hunter Public archive

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

License

Notifications You must be signed in to change notification settings

NVISOsecurity/evtx-hunter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Introduction

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

It can process a high number of events quickly, making it suitable for use during investigations and hunting activities across a high number of collected events.

Report header Example of a first time detection

What is evtx-hunter

evtx-hunter is a Python tool that generates a web report of interesting activity observed in EVTX files. The tool comes with a few predefined rules to help you get going. This includes rules to spot for example:

  • The first time a certain DNS domain is queried;
  • The first time a certain process is launched;
  • New service installations;
  • User account lockouts;
  • ...

New use cases can easily be added to support your use case:

  • rules/first_occurence.json: monitor the first time something happens that matches the rule, such as installing a new (malicious) service or using a compromised user account.

  • rules/interesting_events.json: monitor each time something happens that matches the rule, such as clearing the audit log or installing a new service.

Why evtx-hunter?

We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during incident response activities. We love tools like Event Log Explorer and Evtx Explorer but found them most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.

Requirements

evtx-hunter only runs on Windows due to its dependency on EVTX Parsing library, which is included in the tool.

It requires Python (tested in python 3.9 but any version >=python 3.0 will most likely work).

Installation

pip install -r requirements.txt

Usage

python evtx_hunter.py <evtx_folder>

Once the EVTX files have been processed, a link on the command line will be printed to view the generated report in your browser (typically http://127.0.0.1:8050/).

Roadmap

We plan to continuously improve this tool in a few different ways, based on our experience using it during incidents where EVTX files require investigation:

  • Add new rules to spot new interesting activity in EVTX files;
  • Improve how the information is presented in the resulting report;
  • Make the reports interactive (live filtering & searching for example).

Contributions

Everyone is invited to contribute!

If you are a user of the tool and have a suggestion for a new feature or a bug to report, please do so through the issue tracker.

Acknowledgements

Developed by Daan Raman, @NVISO_labs

External libraries

License

evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3). LICENSE

About

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published