Invalid Argument

[MyraBaba]

python .\zircolite.py --evtx .\7\ --rules C:\PURE7\rules.json

Traceback (most recent call last): File "C:\RE7\Zircolite\zircolite.py", line 2713, in main() File "C:\RE7\Zircolite\zircolite.py", line 2622, in main zircoliteCore.run(LogJSONList, saveToFile=args.keepflat, args_config=args) File "C:\RE7\Zircolite\zircolite.py", line 1227, in run flattener.runAll(EVTXJSONList) File "C:\RE7\Zircolite\zircolite.py", line 830, in runAll results = self.run(evtxJSON) File "C:\RE7\Zircolite\zircolite.py", line 777, in run with open(str(file), "r", encoding="utf-8") as JSONFile: OSError: [Errno 22] Invalid argument: 'tmp-6W5YO034\ID400-800-CrackMapExec payload execution.evtx-R0YQ824M.json'

[wagga40]

This is typically the error that appears when the AV trigger on the temp files. I recommend you to add Zircolite directory to AV exclusions. Did you check, your AV logs ?

[MyraBaba]

@wagga40

Hi I have good case for you. rules.json and evtx files. hayabusa took 390 sec zircolite took 1400sec.

I can share the data privately if you want to examine.

Best

PS: if you put elapsed time for each event result in screen printing good for debug

[wagga40]

I can share the data privately if you want to examine.

yeah I’m interested, how do you want to proceed ?

[MyraBaba]

give me your email pls

[MyraBaba]

@wagga40

I can send links for rules and evtx zip for test to your email.

As far as I see its take too long for some queries.

ie: 17.000 result.. takes too long to query.

hayabusa always around 4 min - 5 min.

[MyraBaba]

@wagga40

more diagnosis clues:

same log and same json rules:

on my vmware windows 10 took 297 sconds

on another server ; vmware win server 2019 took 14500 seconds. !

both machine hayabusa 300 seconds

[wagga40]

email : seringues-06.phyla@icloud.com

did you try with the v3 version in the dev branch ? https://github.com/wagga40/Zircolite/tree/v3.0 (very unstable, csv output not working)

Sometimes memory is quite the bottleneck and the rulesets have to be tailored because somes rules are very noisy and take long time to execute.

[MyraBaba]

is zircolite.py or zircolite_dev.py ?

Only gettin above file is enough or need full repo ?

Will prepare you VMware image for same test

Best

On 31 Oct 2024, at 21:18, Wagga @.***> wrote:

email : @. @.> did you try with the v3 version in the dev branch ? https://github.com/wagga40/Zircolite/tree/v3.0 https://github.com/wagga40/Zircolite/tree/v3.0 (very unstable, csu output not working)

— Reply to this email directly, view it on GitHub https://github.com/wagga40/Zircolite/issues/94#issuecomment-2450543004, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEFRZH7WZLZPCK2QAZWPAADZ6JX6BAVCNFSM6AAAAABQXUDBSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJQGU2DGMBQGQ. You are receiving this because you authored the thread.

[wagga40]

You should use zircolite_dev.py

Normally it should work only with this file

[MyraBaba]

Hayabusa Almost 5-7 times faster . But I believe we can catch its speed.

PS: I am preparing the VMware image

Best

On 31 Oct 2024, at 21:18, Wagga @.***> wrote:

email : @. @.> did you try with the v3 version in the dev branch ? https://github.com/wagga40/Zircolite/tree/v3.0 https://github.com/wagga40/Zircolite/tree/v3.0 (very unstable, csu output not working)

— Reply to this email directly, view it on GitHub https://github.com/wagga40/Zircolite/issues/94#issuecomment-2450543004, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEFRZH7WZLZPCK2QAZWPAADZ6JX6BAVCNFSM6AAAAABQXUDBSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJQGU2DGMBQGQ. You are receiving this because you authored the thread.

[wagga40]

I sent you an email address in a previous answer, could you share your samples ?

[wagga40]

Whith the news version (https://github.com/wagga40/Zircolite/tree/v3.0) of Zircolite and default ruleset or your ruleset, it took 23 sec.

RAM and Storage speed (SSD vs non SSD) can change the results.

[wagga40]

I've tested in a Windows VM. It took 44 sec