Add Regex support for Provider/Channel fields

[AndrewRathbun]

EvtxECmd version Current

Is your feature request related to a problem? Please describe. Regex support for the Provider field

Describe the solution you'd like Regex support for the Provider field

Describe alternatives you've considered For Providers like ScreenConnect, there is no alternative. It's ScreenConnect Client (random values here)

Additional context Would be great to add regex support so we could make Maps for a very popular remote access tools commonly used by threat actors

[randomaccess3]

+10 I think i still have the test data (or I'll make it) for screenconnects evtx - otherwise cant use evtxecmd to process this data properly

[EricZimmerman]

if you can share an event log, or andrew has one, it would be easier to make sure this works before releasing it

[AndrewRathbun]

I will try to generate one on a VM tomorrow if you don't already have one laying around @randomaccess3

[randomaccess3]

Yeah I'll have to generate one as I can't provide the case one

[AndrewRathbun]

Looks like ScreenConnect has rebranded to ConnectWise and no longer has the unique GUID in the Provider name, i.e., ScreenConnect Client (541dec3e-3a80-4e1a-aa60-1bd40e11674d). It's now just ScreenConnect. I will have to dig up a case that has the old format with the GUID and report back.

[EricZimmerman]

It's now just ScreenConnect

my work here is done.

[randomaccess3]

Heh TAs are using old versions still. Had this 3ish weeks ago.

---

Phill Moore, linkedin.com/in/phill-moore www.thisweekin4n6.com www.thinkdfir.com twitter.com/phillmoore

On Wed, 4 Jan 2023, 06:17 Eric, @.***> wrote:

It's now just ScreenConnect

my work here is done.

— Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/evtx/issues/215#issuecomment-1370135548, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJPCE2XNS5DDDOLP2AYT6DWQR3LFANCNFSM6AAAAAATCJUJKQ . You are receiving this because you were mentioned.Message ID: @.***>

[AndrewRathbun]

Heh TAs are using old versions still. Had this 3ish weeks ago. … -------------------------------------- Phill Moore, linkedin.com/in/phill-moore www.thisweekin4n6.com www.thinkdfir.com twitter.com/phillmoore On Wed, 4 Jan 2023, 06:17 Eric, @.> wrote: It's now just ScreenConnect my work here is done. — Reply to this email directly, view it on GitHub <#215 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJPCE2XNS5DDDOLP2AYT6DWQR3LFANCNFSM6AAAAAATCJUJKQ . You are receiving this because you were mentioned.Message ID: @.>

Yep agreed. I will have to dig up an old Application.evtx from a previous case and provide to Eric internally.

[AndrewRathbun]

I found an evtx and provided it internally to Eric

Example: ScreenConnect Client (5ae95abc-4f89-472e-b13a-7e35e2e00679) as the Provider

[EricZimmerman]

this is what the new provider format will look like

Provider: regex:"ScreenConnect Client (.+)

it is up to the end user to make sure they write a valid regex.

adding this now

[EricZimmerman]

in reviewing this, its not gonna work.

right now, the map lookups work like this:

0-APPLICATION-REGEX:"SCREENCONNECT CLIENT (.+)

where thats

event id source log provider

that key is being used on a dictionary so its instant. adding regex support means iterating thru hundreds of maps 10s of thousands of times, so i will have to shelf this for now until i can think of a different way to support this.

sorry

[EricZimmerman]

nothing is broken here. the screen connect events are still in the csv tho, you just have to look at the PayloadData outside of a map.

once the version stops using the guid, maps work. so making one is not a waste, just without the guid