evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Overview

Introduction

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

It can process a high number of events quickly, making it suitable for use during investigations and hunting activities across a high number of collected events.

Report header Example of a first time detection

What is evtx-hunter

evtx-hunter is a Python tool that generates a web report of interesting activity observed in EVTX files. The tool comes with a few predefined rules to help you get going. This includes rules to spot for example:

  • The first time a certain DNS domain is queried;
  • The first time a certain process is launched;
  • New service installations;
  • User account lockouts;
  • ...

New use cases can easily be added to support your use case:

  • rules/first_occurence.json: monitor the first time something happens that matches the rule, such as installing a new (malicious) service or using a compromised user account.

  • rules/interesting_events.json: monitor each time something happens that matches the rule, such as clearing the audit log or installing a new service.

Why evtx-hunter?

We developed evtx-hunter to quickly process a large volume of events stored in EVTX dump files during incident response activities. We love tools like Event Log Explorer and Evtx Explorer but found them most suited to deep dive into a specific EVTX file - quickly spotted interesting activity across a large number of EVTX events is something we were missing - this was the reason to develop and release evtx-hunter.

Requirements

evtx-hunter only runs on Windows due to its dependency on EVTX Parsing library, which is included in the tool.

It requires Python (tested in python 3.9 but any version >=python 3.0 will most likely work).

Installation

pip install -r requirements.txt

Usage

python evtx_hunter.py <evtx_folder>

Once the EVTX files have been processed, a link on the command line will be printed to view the generated report in your browser (typically http://127.0.0.1:8050/).

Roadmap

We plan to continuously improve this tool in a few different ways, based on our experience using it during incidents where EVTX files require investigation:

  • Add new rules to spot new interesting activity in EVTX files;
  • Improve how the information is presented in the resulting report;
  • Make the reports interactive (live filtering & searching for example).

Contributions

Everyone is invited to contribute!

If you are a user of the tool and have a suggestion for a new feature or a bug to report, please do so through the issue tracker.

Acknowledgements

Developed by Daan Raman, @NVISO_labs

External libraries

License

evtx-hunter is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3). LICENSE

Owner
NVISO
NVISO
A kAFL based hypervisor fuzzer which fully supports nested VMs

hAFL2 hAFL2 is a kAFL-based hypervisor fuzzer. It is the first open-source fuzzer which is able to target hypervisors natively (including Hyper-V), as

SafeBreach Labs 115 Dec 07, 2022
OpenPort scanner GUI tool (CNMAP)

CNMAP-GUI- OpenPort scanner GUI tool (CNMAP) as you know it is the advanced tool to find open port, firewalls and we also added here heartbleed scanni

9 Mar 05, 2022
A token logger for discord + steals Brave/Chrome passwords and usernames

Backdoor Machine - ❗ For educational purposes only ❗ A program made in python for stealing passwords and usernames from Google Chrome/Brave and tokenl

36 Jul 18, 2021
Small Python library that adds password hashing methods to ORM objects

Password Mixin Mixin that adds some useful methods to ORM objects Compatible with Python 3.5 = 3.9 Install pip install password-mixin Setup first cre

Joe Gasewicz 5 Nov 22, 2022
Um script simples de Port Scan + DNS by Hostname

🖥 PortScan-DNS Esta é uma ferramenta simples de Port Scan + DNS by Hostname... 💻 | DNS Resolver / by Hostname: HOST IP EXTERNO IP INTERNO 💻 | Port

AlbâniaSecurity-RT 7 Dec 08, 2022
labsecurity is a framework and its use is for ethical hacking and computer security

labsecurity labsecurity is a framework and its use is for ethical hacking and computer security. Warning This tool is only for educational purpose. If

Dylan Meca 16 Dec 08, 2022
For educational purposes only. (Uzbek Edition)

DISCLAIMER 💣 Ushbu skriptdagi materiallar bilan bog'liq har qanday xatti-harakatlar faqat sizning javobgarligingizdir. Ushbu skriptdagi ma'lumotlarda

Husniddin Murodov 1 Feb 12, 2022
xp_CAPTCHA(白嫖版) burp 验证码 识别 burp插件

xp_CAPTCHA(白嫖版) 说明 xp_CAPTCHA (白嫖版) 验证码识别 burp插件 安装 需要python3 小于3.7的版本 安装 muggle_ocr 模块(大概400M左右) python3 -m pip install -i http://mirrors.aliyun.com/

算命縖子 588 Jan 09, 2023
Cisco RV110w UPnP stack overflow

Cisco RV110W UPnP 0day 分析 前言 最近UPnP比较火,恰好手里有一台Cisco RV110W,在2021年8月份思科官方公布了一个Cisco RV系列关于UPnP的0day,但是具体的细节并没有公布出来。于是想要用手中的设备调试挖掘一下这个漏洞,漏洞的公告可以在官网看到。 准

badmonkey 25 Nov 09, 2022
OpenSource Poc && Vulnerable-Target Storage Box.

reapoc OpenSource Poc && Vulnerable-Target Storage Box. We are aming to collect different normalized poc and the vulerable target to verify it. Now re

cckuailong 560 Dec 23, 2022
A tool that detects the expensive Carbon Black watchlists.

A tool that detects the "expensive" Carbon Black watchlists.

Oğuzcan Pamuk 8 Aug 04, 2022
OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238. It generates and validates OTPs based

1 Nov 15, 2021
A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

Mehmet Ali KERİMOĞLU 5 Aug 25, 2022
Safe Policy Optimization with Local Features

Safe Policy Optimization with Local Feature (SPO-LF) This is the source-code for implementing the algorithms in the paper "Safe Policy Optimization wi

Akifumi Wachi 6 Jun 05, 2022
Delta Sharing: An Open Protocol for Secure Data Sharing

Delta Sharing: An Open Protocol for Secure Data Sharing Delta Sharing is an open protocol for secure real-time exchange of large datasets, which enabl

Delta Lake 497 Jan 02, 2023
FIVE, Vulnerability Scanner And Mass Exploiter, made for pentesting.

$ FIVE - FIVE is a Pentesting Framework to Test the Security & Integrity of a Website, or Multiple Websites. $ Info FIVE Was Made After Vulnnr to Prod

Neon 24 Dec 10, 2021
Scan publicly accessible assets on your AWS cloud environment

poro Description Scan for publicly accessible assets on your AWS environment Services covered by this tool: AWS ELB API Gateway S3 Buckets RDS Databas

9rnt 134 Dec 16, 2022
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
GitLab CI security tools runner

Common Security Pipeline Описание проекта: Данный проект является вариантом реализации DevSecOps практик, на базе: GitLab DefectDojo OpenSouce tools g

Сити-Мобил 14 Dec 23, 2022