sysmon evtx files corrupt?

[EdwardsCP]

I'm trying to use some of these sample evtx files to test a new powershell tool, and I'm having trouble parsing them. It seems they may be corrupt and the event data/messages aren't formatted correctly? For example, see the output I'm getting below where the process Hashes are showing as the "IntegrityLevel" instead of "Hashes". I don't have that same problem with sysmon evtx files I generate here. Any thoughts?

$events = Get-WinEvent -path c:\temp\evtx\exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -FilterXPath *[System[EventID=1]]

foreach ($event in $events){ write-host $event.Message }

Process Create: RuleName: UtcTime: 2019-05-12 13:38:01.297 ProcessGuid: {365ABB72-21B9-5CD8-0000-0010FC002700} ProcessId: 704 Image: C:\Windows\System32\calc.exe FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255) Description: Windows Calculator Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: "C:\Windows\System32\calc.exe" CommandLine: c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ CurrentDirectory: IEWIN7\IEUser User: {365ABB72-1596-5CD8-0000-0020103A0100} LogonGuid: 0x13a10 LogonId: 0x1 TerminalSessionId: 0 IntegrityLevel: SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1 Hashes: {365ABB72-21B8-5CD8-0000-0010E4E82600} ParentProcessGuid: 2964 ParentProcessId: 0 ParentImage: "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" ParentCommandLine: %22

[sbousseaden]

don't think the log is corrupted (see below XML view of the same event file), it was recored on a Windows 7 VM, those issues are often related to EventMessageFile DLL version used to format event message.

[EdwardsCP]

It's strange, because I see the same on the XML view in EventViewer, but the general view shows the mis-alignment the same as powershell's get-winevent cmd-let. [image: image.png]

On Thu, Aug 13, 2020 at 5:00 AM sbousseaden notifications@github.com wrote:

don't think the log is corrupted (see below XML view of the same event file), it was recored on a Windows 7 VM, those issues are often related to EventMessageFile https://docs.microsoft.com/en-us/troubleshoot/windows/win32/troubleshoot-event-message-not-found DLL version used to format event message.

[image: image] https://user-images.githubusercontent.com/20989958/90115030-d394f480-dd53-11ea-8484-ab0a2c3c3214.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/issues/9#issuecomment-673356255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE7XCISIZZ6K6V2OCZPXUNDSAOTT7ANCNFSM4P5HBONA .

[EdwardsCP]

Even opening it on a Win7 system, I'm getting the same

[EdwardsCP]

I think this may be because the logs were collected with an older version of sysmon. Version 10 (which I'm using) added OriginalFilename as the 10th element in the list, and that seems to be where the misalignment starts. In the screenshot above, "c:\Windows\System32\calc.exe" should be CommandLine, and everything else after that shifted down one.

[sbousseaden]

yes probably that's the reason (sysmon vers) tough not sure 100% :)

[EdwardsCP]

Seems that's what it is. Closing out the issue.