Skip to content

Latest commit

 

History

History
161 lines (129 loc) · 6.72 KB

README.md

File metadata and controls

161 lines (129 loc) · 6.72 KB

Contributors Forks Stargazers Issues GPL License LinkedIn


Logo

Hunting Evil by parsing Windows Event Logs files
Explore the docs »

Report Bug · Request Feature

Table of Contents
  1. About The Project
  2. Usage
  3. Roadmap
  4. Contributing
  5. License
  6. Contributers
  7. Acknowledgment

About The Project

Tool GIF

An incident response tool parses Windows Event Logs to export infection-related logs across many log files. Mainly following Hunt Evil SANS Poster to choose related events.

what's new:

  • One command to analyze all different infection-related Event logs files.
  • One Excel file for every SANS catagory with multiple sheets for every event ID
  • Having a map of analysis based on different categories based on SANS Poster.
  • Tables of statistics of the number of indicators in every infections vector.
  • Export useful events with important attributes in CSV format for extra manual analysis.
  • Analyizing EVT and EVTX files

(back to top)

Built With

All Parsers are build with 2 different techniques:

  • LogParser
    • This is the default option as it is a time-efficient and stable option.
  • WinEvent
    • This is a flexible and programmable option as you can add your own code for extra analysis.
    • Use the -winevent parameter to parse the logs by WinEvent

(back to top)

Usage

  • Clone the repo Or download it as Zip file then extract it
    git clone https://github.com/AhmedKamal1432/Evilize.git
  • Change Directory to the Repo Folder
  • Run the .\Evilize.ps1 with the path to Events logs files
.\Evilize.ps1 "C:\Users\username\Downloads\Events\EventLogs\" -security
  • Don't run it on the local log files in "C:\Windows\System32\winevt\Logs"
  • The tool creates a Results folder for csv/xlsx files inside the Event logs path.
    • Excel sheet
  • For using Winevent insteed of logparser to parse the same logs, use the winevent parameter
.\Evilize.ps1 -winevent "C:\Users\username\Downloads\Events\EventLogs\"
  • For more examples, please refer to the Wiki

(back to top)

Roadmap

  • [v1.1.0] Implement Source events parsers
  • [v1.2.0] Multithreaded parsers
  • [v1.2.0] Date/Time filters

See the open issues for a full list of proposed features (and known issues).

(back to top)

Contributing

Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

(back to top)

License

Distributed under the GPL-3.0 License. See LICENSE.txt for more information.

(back to top)

Contributers

Acknowledgments

(back to top)