EricZimmerman / evtx

C# based evtx parser with lots of extras
MIT License
282 stars 59 forks source link

Group similar event in the same second #181

Closed Tapiocapioca closed 2 years ago

Tapiocapioca commented 2 years ago

Hello to everybody, I am trying to extract the events 4626 from a really big database EVTX. The tool is working really great but for each Logon I have 3 events. Is possible collect 3 events in 1?

The events are like :

User1 - Logon - 15:01:02 User1 - Logon - 15:01:05 User1 - Logon - 15:01:08

I tried to use the option tdt to collepse them, but I think I didn't really understand the meaning of this option. If it is the right way to group the event in one, can I have an example to use it?

Thank you to everybody.

AndrewRathbun commented 2 years ago

Can you provide an example evtx or example output so we can see better what you're referring to? I'm confused as to why you'd want this. Is this from a Domain Controller set with the Active Directory role? If so, you'll likely see this very commonly.

Tapiocapioca commented 2 years ago

Sure I try to explain better.

I am extracting the data from the Domain Controller, the Logon and Logoff by all users are in active directory, I am having multiple events really close for logon and logoff, but human resources want just know if the users logon one time morning and one time afternoon, so for them less data are better.

Below an example with mine account when logoff.

{"PayloadData1":"Target: company1\\user1","PayloadData2":"LogonType 7","PayloadData3":"LogonId: 0x1BC85D4","MapDescription":"An account was logged off","ChunkNumber":214,"Computer":"computer1.company1.it","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-21-1059714951-3368157977-15935\"},{\"@Name\":\"TargetUserName\",\"#text\":\"user1\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"company1\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x1BC85D4\"},{\"@Name\":\"LogonType\",\"#text\":\"7\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4634,"EventRecordId":"892802","ProcessId":540,"ThreadId":18116,"Level":"LogAlways","Keywords":"Audit success","SourceFile":"C:\\Windows\\System32\\winevt\\Logs\\Security.evtx","ExtraDataOffset":0,"HiddenRecord":false,"TimeCreated":"2021-12-22T15:05:11.6604755+00:00","RecordNumber":892802}

{"PayloadData1":"Target: company1\\user1","PayloadData2":"LogonType 2","PayloadData3":"LogonId: 0x1BC7E6F","MapDescription":"An account was logged off","ChunkNumber":214,"Computer":"computer1.company1.it","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-21-1059714951-3368157977-15935\"},{\"@Name\":\"TargetUserName\",\"#text\":\"user1\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"company1\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x1BC7E6F\"},{\"@Name\":\"LogonType\",\"#text\":\"2\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4634,"EventRecordId":"892803","ProcessId":540,"ThreadId":4908,"Level":"LogAlways","Keywords":"Audit success","SourceFile":"C:\\Windows\\System32\\winevt\\Logs\\Security.evtx","ExtraDataOffset":0,"HiddenRecord":false,"TimeCreated":"2021-12-22T15:05:11.7182638+00:00","RecordNumber":892803}

{"PayloadData1":"Target: company1\\user1","PayloadData2":"LogonType 2","PayloadData3":"LogonId: 0x1BC7E53","MapDescription":"An account was logged off","ChunkNumber":214,"Computer":"computer1.company1.it","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-21-1059714951-3368157977-15935\"},{\"@Name\":\"TargetUserName\",\"#text\":\"user1\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"company1\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x1BC7E53\"},{\"@Name\":\"LogonType\",\"#text\":\"2\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4634,"EventRecordId":"892804","ProcessId":540,"ThreadId":4908,"Level":"LogAlways","Keywords":"Audit success","SourceFile":"C:\\Windows\\System32\\winevt\\Logs\\Security.evtx","ExtraDataOffset":0,"HiddenRecord":false,"TimeCreated":"2021-12-22T15:05:11.7183244+00:00","RecordNumber":892804}

{"PayloadData1":"Target: company1\\user1","PayloadData2":"LogonType 7","PayloadData3":"LogonId: 0x1BC7EC6","MapDescription":"An account was logged off","ChunkNumber":214,"Computer":"computer1.company1.it","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-21-1059714951-3368157977-15935\"},{\"@Name\":\"TargetUserName\",\"#text\":\"user1\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"company1\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x1BC7EC6\"},{\"@Name\":\"LogonType\",\"#text\":\"7\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4634,"EventRecordId":"892807","ProcessId":540,"ThreadId":592,"Level":"LogAlways","Keywords":"Audit success","SourceFile":"C:\\Windows\\System32\\winevt\\Logs\\Security.evtx","ExtraDataOffset":0,"HiddenRecord":false,"TimeCreated":"2021-12-22T15:05:11.8637471+00:00","RecordNumber":892807}

You can see, this is an event 4634, is correct we have multiple recors, what I want is collapse all data in one or delete 3 events and collect only one, if they are in the same minute. The requirment from my human resource is something like this, they are not interest to have all data, just a confirmation the user is active.

I hope is possible do it :)

Anyway thank you about your help.

AndrewRathbun commented 2 years ago

You should be able to do this in Excel by making the timestamp a bit more broad or zeroing out the subseconds. Then, remove duplicates and you should be left with a more generalized list, I'd think. Give that a try.

Or tell HR to be careful what they ask for. They just might get it 😎

In all seriousness, data manipulation is a huge part of the job, i.e. making the raw data into something easier to digest. If you're not using a powerful text editor to make your life easier, you should be. I would do what I specified above but I don't think Eric doing any coding on this would be fair. EVTXECmd has a specific purpose and this edge case would be better served with manipulation of the output on the backend IMO.

EricZimmerman commented 2 years ago

Yea this use case is outside the scope of what the tool would do out of the box.