Hunting Evil by parsing Windows Event Logs files
Explore the docs »
Report Bug
·
Request Feature
Table of Contents
About The Project
An incident response tool parses Windows Event Logs to export infection-related logs across many log files. Mainly following Hunt Evil SANS Poster to choose related events.
what's new:
- One command to analyze all different infection-related Event logs files.
- One Excel file for every SANS catagory with multiple sheets for every event ID
- Having a map of analysis based on different categories based on SANS Poster.
- Tables of statistics of the number of indicators in every infections vector.
- Export useful events with important attributes in CSV format for extra manual analysis.
- Analyizing EVT and EVTX files
Built With
All Parsers are build with 2 different techniques:
- LogParser
- This is the default option as it is a time-efficient and stable option.
- WinEvent
- This is a flexible and programmable option as you can add your own code for extra analysis.
- Use the
-wineventparameter to parse the logs by WinEvent
Usage
- Clone the repo Or download it as Zip file then extract it
git clone https://github.com/AhmedKamal1432/Evilize.git
- Change Directory to the Repo Folder
- Run the .\Evilize.ps1 with the path to Events logs files
.\Evilize.ps1 "C:\Users\username\Downloads\Events\EventLogs\" -security- Don't run it on the local log files in "C:\Windows\System32\winevt\Logs"
- The tool creates a
Resultsfolder for csv/xlsx files inside the Event logs path. - For using Winevent insteed of logparser to parse the same logs, use the
wineventparameter
.\Evilize.ps1 -winevent "C:\Users\username\Downloads\Events\EventLogs\"- For more examples, please refer to the Wiki
Roadmap
- [v1.1.0] Implement Source events parsers
- [v1.2.0] Multithreaded parsers
- [v1.2.0] Date/Time filters
See the open issues for a full list of proposed features (and known issues).
Contributing
Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
License
Distributed under the GPL-3.0 License. See LICENSE.txt for more information.