Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct a bug in MiniGUI #76

Merged
merged 1 commit into from
Mar 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Help is available with `zircolite.py -h`. If your EVTX files have the extension

```shell
# python3 zircolite.py --evtx <EVTX FOLDER or EVTX FILE> --ruleset <SIGMA RULESET> [--ruleset <OTHER RULESET>]
python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.json
python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon_pysigma.json
```

The SYSMON ruleset employed is a default one, intended for analyzing logs from endpoints with SYSMON installed.
Expand All @@ -42,7 +42,7 @@ The SYSMON ruleset employed is a default one, intended for analyzing logs from e
```shell
python3 zircolite.py --events auditd.log --ruleset rules/rules_linux.json --auditd
python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysmon4linux
python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon.json --jsononly
python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon_pysigma.json --jsononly
```

:information_source: If you want to try the tool you can test with [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) (EVTX Files).
Expand Down
28 changes: 14 additions & 14 deletions docs/Advanced.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
```shell
find <CASE_DIRECTORY> -maxdepth 1 -mindepth 1 -type d | \
parallel --bar python3 zircolite.py --evtx {} \
--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
```

One downside of this mode is that if you have less computer evidences than CPU Cores, they all will not be used.
Expand All @@ -39,7 +39,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
```shell
find <CASE_DIRECTORY> -type f -name "*.| \
parallel -j -1 --progress python3 zircolite.py --evtx {} \
--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
```

In this example the `-j -1` is for using all cores but one. You can adjust the number of used cores with this arguments.
Expand Down Expand Up @@ -70,20 +70,20 @@ To speed up the detection process, you may want to use Zircolite on files matchi
- Only use EVTX files that contains "sysmon" in their names

```shell
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
--select sysmon
```
- Exclude "Microsoft-Windows-SystemDataArchiver%4Diagnostic.evtx"

```shell
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
--avoid systemdataarchiver
```

- Only use EVTX files with "operational" in their names but exclude "defender" related logs

```shell
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
--select operational --avoid defender
```

Expand All @@ -92,7 +92,7 @@ For example, the **Sysmon** ruleset available in the `rules` directory only use
So if you use the sysmon ruleset with the following rules, it should speed up `Zircolite`execution :

```shell
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
--select sysmon --select security.evtx --select system.evtx \
--select application.evtx --select Windows-NTLM --select DNS \
--select powershell --select defender --select applocker \
Expand All @@ -113,14 +113,14 @@ Examples :
- Select all events between the 2021-06-02 22:40:00 and 2021-06-02 23:00:00 :

```shell
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
-A 2021-06-02T22:40:00 -B 2021-06-02T23:00:00
```

- Select all events after the 2021-06-01 12:00:00 :

```shell
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
-A 2021-06-01T12:00:00
```

Expand All @@ -132,7 +132,7 @@ The filter will apply on the rule title. To avoid unexpected side-effect **compa

```shell
python3 zircolite.py --evtx logs/ \
--ruleset rules/rules_windows_sysmon.json \
--ruleset rules/rules_windows_sysmon_pysigma.json \
-R MSHTA
```

Expand Down Expand Up @@ -160,7 +160,7 @@ If you forward your events to a central collector you can disable local logging
If you have multiple endpoints to scan, it is useful to send the detected events to a central collector. As of v1.2, Zircolite can forward detected events to an HTTP server :

```shell
python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
--remote "http://address:port/uri"
```
An **example** server called is available in the [tools](https://github.com/wagga40/Zircolite/tree/master/tools/zircolite_server/) directory.
Expand All @@ -173,7 +173,7 @@ As of v1.3.5, Zircolite can forward detections to a Splunk instance with Splunk
2. Get your token and you are ready to go :

```shell
python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
[--index myindex]
```
Expand All @@ -187,7 +187,7 @@ Since Splunk HEC default to the first associated index, `--index` is optional bu
As of version 2.8.0, Zircolite can forward events to an ELK stack using the ES client.

```shell
python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
--remote "https://x.x.x.x:8088" --index "zircolite-whatever" \
--eslogin "yourlogin" --espass "yourpass"
```
Expand All @@ -214,7 +214,7 @@ Zircolite provides a templating system based on Jinja 2. It allows you to change
- `--templateOutput <output_filename>`

```shell
python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
--template templates/exportForSplunk.tmpl --templateOutput exportForSplunk.json
```

Expand All @@ -237,7 +237,7 @@ You need to generate a `data.js` file with the `exportForZircoGui.tmpl` template

```shell
python3 zircolite.py --evtx sample.evtx
--ruleset rules/rules_windows_sysmon.json \
--ruleset rules/rules_windows_sysmon_pysigma.json \
--template templates/exportForZircoGui.tmpl --templateOutput data.js
7z x gui/zircogui.zip
mv data.js zircogui/
Expand Down
14 changes: 7 additions & 7 deletions docs/Usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,10 @@ Multiple rulesets can be specified, results can be per-ruleset or combined (with

```shell
# Example with a Zircolite ruleset and a Sigma rule. Results will be displayed per-ruleset
python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
--ruleset schtasks.yml
# Example with a Zircolite ruleset and a Sigma rule. Results will be displayed combined
python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \
python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
--ruleset schtasks.yml --combine-rulesets
```

Expand All @@ -107,7 +107,7 @@ If your evtx files have the extension ".evtx" :
```shell
python3 zircolite.py --evtx <EVTX_FOLDER/EVTX_FILE> \
--ruleset <Converted Sigma ruleset (JSON)/Directory with Sigma rules (YAML)/>
python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json
python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon_pysigma.json
```

### XML logs
Expand Down Expand Up @@ -140,7 +140,7 @@ And it produces something like this (1 event per line):
```shell
python3 zircolite.py --events <LOGS_FOLDER_OR_LOG_FILE> --ruleset <RULESET> --xml
python3 zircolite.py --events Microsoft-Windows-SysmonOperational.xml \
--ruleset rules/rules_windows_sysmon_full.json --xml
--ruleset rules/rules_windows_sysmon_pysigma.json --xml
```

### EVTXtract logs
Expand Down Expand Up @@ -552,7 +552,7 @@ docker build . -t <Image name>
docker container run --tty \
--volume <Logs folder>:/case
wagga40/zircolite:latest \
--ruleset rules/rules_windows_sysmon.json \
--ruleset rules/rules_windows_sysmon_pysigma.json \
--events /case \
--outfile /case/detected_events.json
```
Expand All @@ -575,7 +575,7 @@ docker run --rm --tty \
-v <EVTX folder>:/case/input:ro \
-v <Results folder>:/case/output \
wagga40/zircolite:latest \
--ruleset rules/rules_windows_sysmon.json \
--ruleset rules/rules_windows_sysmon_pysigma.json \
--events /case/input \
-o /case/output/detected_events.json
```
Expand All @@ -587,6 +587,6 @@ You can use the Docker image available on [Docker Hub](https://hub.docker.com/r/
```shell
docker container run --tty \
--volume <EVTX folder>:/case docker.io/wagga40/zircolite:lastest \
--ruleset rules/rules_windows_sysmon.json \
--ruleset rules/rules_windows_sysmon_pysigma.json \
--evtx /case --outfile /case/detected_events.json
```
Binary file modified docs/Zircolite_manual.pdf
Binary file not shown.
Binary file modified gui/zircogui.zip
Binary file not shown.
Loading
Loading