xambroz
commented
1 year ago Open xambroz opened 1 year ago
xambroz
commented
1 year ago xambroz
commented
1 year ago python-evtx doesn't display records from the dirty chunks
$ evtx_info.py Microsoft-Windows-Sysmon%4Operational.evtx
Information from file header:
Format version : 3.2
Flags : 0x00000001
File is : dirty
Log is full : no
Current chunk : 0 of 1
Oldest chunk : 1
Next record# : 1
Check sum : pass
Suspected updated header values (header is dirty):
Current chunk : 1 of 1
Next record# : 58
Information from chunks:
Chunk file (first/last) log (first/last) Header Data
- ----- --------------------- --------------------- ------ ------
* 1 1 57 1 57 pass pass
2 58 96 58 96 pass pass
3 [EMPTY]
4 [EMPTY]
5 [EMPTY]
6 [EMPTY]
7 [EMPTY]
8 [EMPTY]
9 [EMPTY]
10 [EMPTY]
11 [EMPTY]
12 [EMPTY]
13 [EMPTY]
14 [EMPTY]
15 [EMPTY]
16 [EMPTY]
17 [EMPTY]evtx_dump.py exports only events 1-57. evtxexport from https://github.com/libyal/libevtx exports events 1-96
Hello, during HTB CTF 2023 I have noticed that the evtx_dump.py (nor evtx_dump_json) has the complete data. There is event in attached sysmon log about executing "rclone", but it is not visible using the python-evtx:
Not displayed event: "C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\rclone.exe" config create remote mega user majmeret@protonmail.com pass FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI
workaround: using https://github.com/libyal/libevtx or https://github.com/WithSecureLabs/chainsaw
Best regards Michal Ambroz