This Artifact will hunt the Event Log message field for a regex value. For example and IP, username or string.
Searching EventLog files is helpful for triage and scoping an incident. The idea is a user can search for any IOC or other string of interest and return all results across the Event Log ecosystem.
There are several parameter’s available for search leveraging regex.
Note: this artifact can potentially be heavy on the endpoint. Please use with caution. EventIds with an EventData field regex will be aplied and requires double escape for backslash due to serialisation of this field. E.g C:\\FOLDER\\binary\.exe For EventIds with no EventData the Message field is queried and requires standard velociraptor escape. E.g C:\FOLDER\binary\.exe
name: Windows.EventLogs.EvtxHunter
description: |
This Artifact will hunt the Event Log message field for a regex value.
For example and IP, username or string.
Searching EventLog files is helpful for triage and scoping an incident.
The idea is a user can search for any IOC or other string of interest and
return all results across the Event Log ecosystem.
There are several parameter's available for search leveraging regex.
- EvtxGlob glob of EventLogs to target. Default to all but can be targeted.
- dateAfter enables search for events after this date.
- dateBefore enables search for events before this date.
- IocRegex enables regex search over the message field.
- WhitelistRegex enables a regex whitelist for the Message field.
- PathRegex enables filtering on evtx path for specific log targetting.
- ChannelRegex allows specific EVTX Channel targets.
- IdRegex enables a regex query to select specific event Ids.
- SearchVSS enables searching over VSS
Note: this artifact can potentially be heavy on the endpoint.
Please use with caution.
EventIds with an EventData field regex will be aplied and requires double
escape for backslash due to serialisation of this field.
E.g C:\\\\FOLDER\\\\binary\\.exe
For EventIds with no EventData the Message field is queried and requires
standard velociraptor escape. E.g C:\\FOLDER\\binary\\.exe
author: Matt Green - @mgreen27
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: EvtxGlob
default: '%SystemRoot%\System32\Winevt\Logs\*.evtx'
- name: IocRegex
type: regex
description: "IOC Regex"
default:
- name: WhitelistRegex
description: "Regex of string to witelist"
type: regex
- name: PathRegex
description: "Event log Regex to enable filtering on path"
default: .
type: regex
- name: ChannelRegex
description: "Channel Regex to enable filtering on path"
default: .
- name: ProviderRegex
description: "Provider Regex to enable filtering on provider"
default: .
type: regex
- name: IdRegex
default: .
type: regex
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
- name: DateAfter
type: timestamp
description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
- name: DateBefore
type: timestamp
description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
imports:
- Windows.Sys.AllUsers
sources:
- query: |
LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
LET Accessor = if(condition=VSSAnalysisAge > 0, then="ntfs_vss", else="auto")
-- firstly set timebounds for performance
LET DateAfterTime <= if(condition=DateAfter,
then=timestamp(epoch=DateAfter), else=timestamp(epoch="1600-01-01"))
LET DateBeforeTime <= if(condition=DateBefore,
then=timestamp(epoch=DateBefore), else=timestamp(epoch="2200-01-01"))
-- expand provided glob into a list of paths on the file system (fs)
LET fspaths = SELECT OSPath
FROM glob(globs=expand(path=EvtxGlob), accessor=Accessor)
WHERE OSPath =~ PathRegex
-- function returning IOC hits
LET evtxsearch(PathList) = SELECT * FROM foreach(
row=PathList,
query={
SELECT
timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
System.Computer as Computer,
System.Channel as Channel,
System.Provider.Name as Provider,
System.EventID.Value as EventID,
System.EventRecordID as EventRecordID,
System.Security.UserID as UserSID,
LookupSIDCache(SID=System.Security.UserID || "") AS Username,
get(field="EventData") as EventData,
get(field="UserData") as UserData,
get(field="Message") as Message,
OSPath
FROM parse_evtx(filename=OSPath, accessor=Accessor)
WHERE ( EventData OR UserData OR Message )
AND EventTime < DateBeforeTime
AND EventTime > DateAfterTime
AND Channel =~ ChannelRegex
AND Provider =~ ProviderRegex
AND str(str=EventID) =~ IdRegex
AND format(format='%v %v %v', args=[
EventData, UserData, Message]) =~ IocRegex
AND if(condition=WhitelistRegex,
then= NOT format(format='%v %v %v', args=[
EventData, UserData, Message]) =~ WhitelistRegex,
else= True)
}
)
SELECT * FROM evtxsearch(PathList=fspaths)