Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for linux or JSONL/NDJSON Logs
Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSONL format), Auditd logs and Sysmon for Linux logs
- Zircolite can be used directly on the investigated endpoint or in your forensic/detection lab
- Zircolite is relatively fast and can parse large datasets in just seconds (check benchmarks)
- Zircolite is based on a Sigma backend (SQLite) and do not use internal sigma to "something" conversion
- Zircolite can export results to multiple format with using Jinja templates : JSON, CSV, JSONL, Splunk, Elastic, Zinc, Timesketch...
Zircolite can be used directly in Python or you can use the binaries provided in releases. Documentation is here.
Requirements / Installation
Python 3.8 minimum is required. You can install dependencies with : pip3 install -r requirements.txt
The use of evtx_dump is optional but required by default (because it is for now much faster), If you do not want to use it you have to use the --noexternal option. The tool is provided if you clone the Zircolite repository (the official repository is here). For Apple M1 computers, the --noexternal option is preferred.
Quick start
EVTX files :
Help is available with zircolite.py -h. If your EVTX files have the extension ".evtx" :
# python3 zircolite.py --evtx <EVTX FOLDER or EVTX FILE> --ruleset <SIGMA RULESET> [--ruleset <OTHER RULESET>]
python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.jsonThe SYSMON ruleset used here is a default one and is for logs coming from endpoints where SYSMON is installed.
Rules can be updated using the -U or --update-rules options.
Auditd / Sysmon for Linux / JSONL or NDJSON logs :
python3 zircolite.py --events auditd.log --ruleset rules/rules_linux.json --auditd
python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysmon4linux
python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon.json --jsononlyDocs
Everything is here.
Mini-Gui
The Mini-GUI can be used totally offline, it allows the user to display and search results. You can automatically generate a Mini-Gui "package" with the --package option. To know how to use the Mini-GUI, check docs here.
Detected events by Mitre Att&ck (c) techniques and criticity levels
Detected events Timeline
Detected events by Mitre Att&ck (c) techniques displayed on the Matrix
Tutorials, references and related projects
Tutorials
-
Russ McRee has published a pretty good tutorial on SIGMA and Zircolite in his blog
-
César Marín has published a tutorial in spanish here
References
- Florian Roth cited Zircolite in his SIGMA Hall of fame in its talk dugin the October 2021 EU ATT&CK Workshop in October 2021
- Zircolite has been cited and used in the research work of the CIDRE team : PWNJUSTSU - Website and PWNJUSTSU - Academic paper
Battle-tested
Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple "real-life" situations. However, even if Zircolite has been used many times to perform analysis directly on a Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.
License
- All the code of the project is licensed under the GNU Lesser General Public License
evtx_dumpis under the MIT license- The rules are released under the Detection Rule License (DRL) 1.0