yarox24
commented
1 year ago The Description column is no further processed. This is just copy from yaml definition.
In definition for event 7040 there is: https://github.com/yarox24/EvtxHussar/blob/a39d33d1e338c8675ee2ed6a381f426279836383/maps/Services_System.yaml#L42
and by design it's only copied without further processing - providing only generic message. I don't consider this a bug.
My mistake here is that I put those X, A to B so it may be confusing, I will remove all "placeholders" from next version.
The message you are looking for e.g. like: The start type of the %1 service was changed from %2 to %3 with substituted fields like %1 => Windows Update
are related to more complex topic which requires:
- asking Windows to perform this via API or
- keep extracted data from all Windows version since 7, 2008 with event messages templates included within program
- proper application of templates like: in this place should be put int or hex?
- support for different Versions of events e.g. 4624 had 3 different versions = 0,1,2
Example of messages database (SQLite format) : https://github.com/Velocidex/evtx-data/blob/master/welm/welm_combined.db
Version: 1.6b - EvtxHussar1.6b_windows_amd64.zip Operating System: Windows 11 Pro 22H2
Ran with elevated privileges through PowerShell 7
Issue: The "Description" column placeholders are not being replaced with relevant data in Excel output files.
PowerShell Output:
[SNIP] 2:10PM INF Generating list of .evtx files in provided paths... 2:10PM INF Inspecting 169 found .evtx files 2:10PM INF Finished inspecting 2:10PM INF Send to processing: 9 files 2:10PM INF Summary nr_of_empty_evtx=51 nr_of_invalid_evtx=0 2:10PM INF Start processing 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManagerOperational.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced SecurityFirewall.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-WinRMOperational.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-Windows DefenderOperational.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Application.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\System.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Microsoft-Windows-PowerShellOperational.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Windows PowerShell.evtx 2:10PM INF Dirty file detected: [SNIP]\Windows\system32\winevt\Logs\Security.evtx 2:10PM INF Results saved to excel format - L2: AV_WindowsDefender | Hostname: REDACTED | Nr of source files: 1 2:10PM INF Results saved to excel format - L2: WinRMUniversal | Hostname: REDACTED | Nr of source files: 1 2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\Application.evtx 2:10PM INF Results saved to excel format - L2: AV_SymantecNetwork | Hostname: REDACTED | Nr of source files: 1 2:10PM ERR Chunk parsing error: [SNIP]\Windows\system32\winevt\Logs\System.evtx 2:10PM INF 64 Scriptblocks saved | PowerShellScriptBlock | REDACTED 2:10PM INF Results saved to excel format - L2: AuditLogCleared | Hostname: REDACTED | Nr of source files: 2 2:10PM INF Results saved to excel format - L2: AuditPolicyChanged | Hostname: REDACTED | Nr of source files: 1 2:10PM INF Results saved to excel format - L2: AccountsUserRelatedOperations | Hostname: REDACTED | Nr of source files: 1 2:10PM INF Results saved to excel format - L2: ProcessCreation | Hostname: REDACTED | Nr of source files: 1 2:10PM INF Results saved to excel format - L2: General_BootupRestartShutdown | Hostname: REDACTED | Nr of source files: 2 2:10PM INF Results saved to excel format - L2: RDPUniversal | Hostname: REDACTED | Nr of source files: 2 2:10PM INF Results saved to excel format - L2: ServicesUniversal | Hostname: REDACTED | Nr of source files: 2 2:10PM INF Results saved to excel format - L2: ScheduledTasks_CreationModification | Hostname: REDACTED | Nr of source files: 1 2:10PM INF Results saved to excel format - L2: LogonsUniversal | Hostname: REDACTED | Nr of source files: 1 2:10PM INF Results saved to excel format - L2: FirewallUniversal | Hostname: REDACTED | Nr of source files: 2 2:10PM INF Results saved to excel format - L2: PowerShellUniversal | Hostname: REDACTED | Nr of source files: 2 2:10PM INF End processing
Excel Output: