EvtxHussar

Initial triage of Windows Event logs. This is beta quality software.

Input data

• .evtx - Windows event log files coming from various hosts or single host

Output data

• Chart generation (Event frequency distribution of all *.evtx files)
• Subset of events based on event ID's defined in maps (e.g. System 104 - The log file was cleared.)
• Events useful for forensics
• One of the following output formats: CSV, JSON, JSONL, Excel
• Default output format Excel
• Files with the same computer name are merged

Example output

Chart (HTML)

Live chart demo

Subset of columns only (Click for fullscreen preview)

Output directory structure

Interesting features

• Logon related events dumping
• Reconstruction of PowerShell Scriptblocks
• Powershell -enc is automatically decoded
• Scheduled Tasks XML parsing
• Audit changes
• Boot up/Restart/Shutdown events = SMB related events
• Merge events from different sources (e.g. Microsoft-Windows-PowerShellOperational_General and Windows PowerShell) to single output file
• Deduplication of events (so you can provide logs from backup, VSS, archive)
• Supported events can be easily added by adding .yaml files to maps/ directory
• Parameters resolution (e.g. %%1936 changed to TokenElevationTypeDefault (1))
• Fields resolution (e.g. servicestarttype = 2 is replaced with "Auto start")
• Fields with different names are normalized to single field (whenever possible) e.g. Filename -> TargetFileName

Which events are supported?

Please look into maps/ (which contains Layer 1 maps)

Quick usage

Parse events (C:\evtx_compromised_machine\*.evtx) from single host to default Excel format (also generate chart)

EvtxHussar.exe -o C:\evtxhussar_results C:\evtx_compromised_machine

Parse events (C:\evtx_many_machines\*\*.evtx) from many machines recursively saving them with JSONL format

EvtxHussar.exe -f jsonl -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse only 2 files (Security.evtx and System.evtx) and save them with CSV format

EvtxHussar.exe -f csv -o C:\evtxhussar_results C:\evtx_compromised_machine\Security.evtx C:\evtx_compromised_machine\System.evtx

Parse events with 100 workers (1 worker = 1 Evtx file handled) Default: 30

EvtxHussar.exe -w 100 -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse with custom maps relevant to incident

EvtxHussar.exe -m C:\incident_specific_maps -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse only with selected Layer2 maps e.g. PowerShellUniversal,PowerShellScriptBlock

EvtxHussar.exe --includeonly PowerShellUniversal,PowerShellScriptBlock -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse with all Layer2 maps but exclude e.g. FirewallUniversal

EvtxHussar.exe --excludeonly FirewallUniversal -r -o C:\evtxhussar_results C:\evtx_many_machines

Generate chart only

EvtxHussar.exe --includeonly ChartOnly -r -o C:\evtxhussar_results C:\evtx_many_machines

Parse events only (disable chart generation)

EvtxHussar.exe -c none -r -o C:\evtxhussar_results C:\evtx_many_machines

Usage (as Velociraptor plugin)

https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.evtxhussar/

Blog article

:memo: https://atos.net/en/lp/securitydive/how-to-accelerate-analysis-of-windows-event-logs

Help

Usage: EvtxHussar [--recursive] [--output_dir OUTPUT_DIR] [--format FORMAT] [--workers WORKERS] [--maps MAPS] [--templates TEMPLATES] [--includeonly INCLUDEONLY] [--excludeonly EXCLUDEONLY] [--chart CHART] [--scriptblockxor] [--debug] [INPUT_EVTX_PATHS [INPUT_EVTX_PATHS ...]]

Positional arguments:
  INPUT_EVTX_PATHS       Path(s) to .evtx files or directories containing these files (can be mixed)

Options:
  --recursive, -r        Recursive traversal for any input directories. [default: false]
  --output_dir OUTPUT_DIR, -o OUTPUT_DIR
                         Reports will be saved in this directory (if doesn't exists it will be created)
  --format FORMAT, -f FORMAT
                         Output data in one of the formats: Csv,JSON,JSONL,Excel [default: Excel]
  --workers WORKERS, -w WORKERS
                         Max concurrent workers (.evtx opened) [default: 30]
  --maps MAPS, -m MAPS   Custom directory with maps/ (Default: program directory)
  --templates TEMPLATES, -t TEMPLATES
                         Directory with Apache Echarts template (Default: program directory)
  --includeonly INCLUDEONLY, -i INCLUDEONLY
                         Include only Layer2 maps present on the list comma separated (Name taken from YAML) [default: {[]}]
  --excludeonly EXCLUDEONLY, -e EXCLUDEONLY
                         Start with all Layer2 maps and exclude only maps present on the comma separated list (Name taken from YAML) [default: {[]}]
  --chart CHART, -c CHART
                         Generate frequency chart of all .evtx files (Not only the ones supported by maps). Valid values: html,none [default: html]
  --scriptblockxor, -x   Apply XOR on reconstructed PS ScriptBlocks with key 'Y' (0x59) to prevent deletion by AV [default: false]
  --debug, -d            Be more verbose [default: false]
  --help, -h             display this help and exit
  --version              display version and exit

Then the winged hussars arrived, coming down they turned the tide