GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Yamato-Security → WELA

Yamato-Security / WELA

Licence: GPL-3.0 license
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)

Programming Languages

powershell
5483 projects

Labels

windowsloganalysistimelinelogseventthreatforensicsdfirresponsehuntingsigmaincident

Projects that are alternatives of or similar to WELA

hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+105.43%)
Mutual labels:  logs, event, threat, forensics, dfir, response, hunting, sigma, incident
Siem
SIEM Tactics, Techiques, and Procedures
Stars: ✭ 157 (-64.48%)
Mutual labels:  log, analysis, threat, forensics, response
Meerkat
A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
Stars: ✭ 284 (-35.75%)
Mutual labels:  log, analysis, threat, forensics, response
Timesketch
Collaborative forensic timeline analysis
Stars: ✭ 1,795 (+306.11%)
Mutual labels:  analysis, timeline, forensics, dfir
Rita
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Stars: ✭ 1,352 (+205.88%)
Mutual labels:  analysis, logs, threat
Adtimeline
Timeline of Active Directory changes with replication metadata
Stars: ✭ 252 (-42.99%)
Mutual labels:  timeline, forensics, dfir
Cortex
Cortex: a Powerful Observable Analysis and Active Response Engine
Stars: ✭ 676 (+52.94%)
Mutual labels:  analysis, dfir, response
smram parse
System Management RAM analysis tool
Stars: ✭ 50 (-88.69%)
Mutual labels:  analysis, forensics, dfir
PoShLog
🔩 PoShLog is PowerShell cross-platform logging module. It allows you to log structured event data into console, file and much more places easily. It's built upon great C# logging library Serilog - https://serilog.net/
Stars: ✭ 108 (-75.57%)
Mutual labels:  log, logs, event
Teler
Real-time HTTP Intrusion Detection
Stars: ✭ 1,248 (+182.35%)
Mutual labels:  log, logs, threat
SWELF
Simple Windows Event Log Forwarder (SWELF). Its easy to use/simply works Log Forwarder and EVTX Parser. Almost in full release here at https://github.com/ceramicskate0/SWELF/releases/latest.
Stars: ✭ 23 (-94.8%)
Mutual labels:  analysis, logs, hunting
l
Cross-platform html/io [L]ogger with simple API.
Stars: ✭ 26 (-94.12%)
Mutual labels:  log, logs
addon-log-viewer
Log Viewer - Home Assistant Community Add-ons
Stars: ✭ 37 (-91.63%)
Mutual labels:  log, logs
MEAT
This toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices
Stars: ✭ 101 (-77.15%)
Mutual labels:  forensics, dfir
winevt
Windows Event Interactions in Python
Stars: ✭ 59 (-86.65%)
Mutual labels:  logs, event
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (-92.76%)
Mutual labels:  forensics, dfir
EventTranscriptParser
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)
Stars: ✭ 22 (-95.02%)
Mutual labels:  forensics, dfir
traffic analyser
Retrieve useful information from apache/nginx access logs to help troubleshoot traffic related problems
Stars: ✭ 44 (-90.05%)
Mutual labels:  log, analysis
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (-49.32%)
Mutual labels:  forensics, dfir
GetConsoleHistoryAndOutput
An Incident Response tool to extract console command history and screen output buffer
Stars: ✭ 41 (-90.72%)
Mutual labels:  forensics, dfir
View All Similar Projects ➔

WELA Logo

WELA (Windows Event Log Analyzer) ゑ羅

[English] | [日本語]

tag-1 tag-2

Windows Event Log Analyzer) aims to be the Swiss Army knife for Windows event logs. Currently, WELA's greatest functionality is creating an easy-to-analyze logon timeline in to order to aid in fast forensics and incident response. WELA's logon timeline generator will consolodate only the useful information in multiple logon log entries (4624, 4634, 4647, 4672, 4776) into single events, perform data reduction by ignoring around 90% of the noise, and will convert any hard to read data (such as hex status codes) into human readable format.

Tested on Windows Powershell 5.1 but may work with previous versions. It will unfortunately NOT work with Powershell Core as there is no built-in functionality to read Windows event logs.

Features

  • Written in PowerShell so is easy to read and customize.
  • Fast Forensics Logon Timeline Generator
    • Detect lateral movement, system usage, suspicious logons, vulnerable protocol usage, etc...
    • 90%+ noise reduction for logon events
    • Calculate Logon Elapsed Time
    • GUI analysis
    • Logon Type Summary
  • Live Analysis and Offline Analysis
  • Japanese support
  • Event ID Statistics
  • Output to CSV to analyze in Timeline Explorer, etc...
  • Analyze NTLM usage before disabling NTLM
  • Sigma rules
  • Custom attack detection rules
  • Remote analysis
  • Logon Statistics

Usage

At the moment, please use a Windows Powershell 5.1. You will need local Administrator access for live analysis.

    Analysis Source (Specify one):
        -LiveAnalysis : Creates a timeline based on the live host's log
        -LogFile <path-to-logfile> : Creates a timelime from an offline .evtx file
        -LogDirectory <path-to-logfiles> (Warning: not fully implemented.) : Analyze offline .evtx files
        -RemoteLiveAnalysis : Creates a timeline based on the remote host's log

    Analysis Type (Specify one):
        -AnalyzeNTLM_UsageBasic : Returns basic NTLM usage based on the NTLM Operational log
        -AnalyzeNTLM_UsageDetailed : Returns detailed NTLM usage based on the NTLM Operational log
        -EventID_Statistics : Output event ID statistics
        -LogonTimeline : Output a condensed timeline of user logons based on the Security log
        -SecurityAuthenticationSummary : Output a summary of authentication events for each logon type based on the Security log

    Analysis Options:
        -StartTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the start of the timeline
        -EndTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the end of the timeline

    -LogonTimeline Analysis Options:
        -IsDC : Specify if the logs are from a DC

    Output Types (Default: Standard Output):
        -SaveOutput <outputfile-path> : Output results to a text file
        -OutputCSV : Outputs to CSV
        -OutputGUI : Outputs to the Out-GridView GUI

    General Output Options:
        -USDateFormat : Output the dates in MM-DD-YYYY format (Default: YYYY-MM-DD)
        -EuropeDateFormat : Output the dates in DD-MM-YYYY format (Default: YYYY-MM-DD)
        -UTC : Output in UTC time (default is the local timezone)
        -Japanese : Output in Japanese

    -LogonTimeline Output Options:
        -HideTimezone : Hides the timezone
        -ShowLogonID : Show logon IDs

    Other:
        -ShowContributors : Show the contributors
        -QuietLogo : Do not display the WELA logo

Useful Options

Show event ID statistics to get a grasp of what kind of events there are:

./WELA.ps1 -LogFile .\Security.evtx -EventIDStatistics

Create a timeline via offline analysis outputted to a GUI in UTC time:

.\WELA.ps1 -LogFile .\Security.evtx -LogonTimeline -OutputGUI -UTC

Analyze NTLM Operational logs for NTLM usage before disabling it:

.\WELA.ps1 -LogFile .\DC1-NTLM-Operational.evtx -AnalyzeNTLM_UsageBasic

Security logon statistics on a live machine:

.\WELA.ps1 -LiveAnalysis -SecurityAuthenticationSummary

Screenshots

Logon Timeline GUI:

Logon Timeline GUI

Human Readable Timeline:

Logon Timeline GUI

Logon Type Statistics:

Logon Statistics

Event ID Statistics:

Event ID Statistics

Logon Type Summary:

Logon Type Summary

NTLM Authentication Analysis:

Logon Type Summary

Related Windows Event Log Threat Hunting Projects

Contribution

We would love any form of contributing. Pull requests are the best but feature requests, notifying us of bugs, etc... are also very welcome.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].