Grab important events from Windows logs (.evtx) using EvtxHussar . Also upload PowerShell ScriptBlocks (reconstructed as files).
Following categories are supported:
Note: If no logs from specific category will be found, source will remain empty.
Based on version 1.7 of EvtxHussar.
name: Windows.EventLogs.EvtxHussar
description: |
Grab important events from Windows logs (.evtx) using [EvtxHussar](https://github.com/yarox24/EvtxHussar).
Also upload PowerShell ScriptBlocks (reconstructed as files).
Following categories are supported:<br />
- Antivirus (Symantec, Windows Defender)<br />
- Accounts (Users related operations)<br />
- Audit (Log cleared, Policy changed)<br />
- Windows Firewall <br />
- Logons<br />
- Powershell events<br />
- Processes<br />
- RDP<br />
- ScheduledTasks (creation/modification/execution)<br />
- Services<br />
- WinRM<br />
- Boot up/Restart/Shutdown<br />
- SMB
Note: If no logs from specific category will be found, source will remain empty.<br />
Based on version 1.7 of EvtxHussar.
author: Jarosław Oparka - @yarox24
type: CLIENT
resources:
timeout: 3600 # 1 hour
max_rows: 10000000 # 10 million
max_upload_bytes: 5368709120 # 5 Gigabytes
tools:
- name: EvtxHussar17
url: https://github.com/yarox24/EvtxHussar/releases/download/1.7/EvtxHussar1.7_windows_amd64.zip
serve_locally: true
precondition:
SELECT OS From info() where OS = 'windows' AND Architecture = "amd64"
parameters:
- name: LogsPath
description: |
Windows Event logs path
default: "C:\\Windows\\System32\\winevt\\Logs"
type: hidden
- name: AntivirusSymantec
description: |
Include Symantec Network Protection (Application.evtx) events
default: Y
type: bool
- name: AntivirusWindowsDefender
description: |
Include Windows Defender (Microsoft-Windows-Windows Defender%4Operational.evtx) events
default: Y
type: bool
- name: AccountsUserRelatedOperations
description: |
Include events related to account manipulation (Security.evtx)
default: Y
type: bool
- name: AuditLogCleared
description: |
Include events related to Windows Event log clearing (Security.evtx, System.evtx)
default: Y
type: bool
- name: AuditPolicyChanges
description: |
Include events related to changes in audit policy (Security.evtx)
default: Y
type: bool
- name: BootupRestartShutdown
description: |
Include events related to boot up/restart/shutdown of OS (System.evtx, Security.evtx)
default: Y
type: bool
- name: Logons
description: |
Include events related to logon/logoff/sessions of Windows users (Security.evtx)
default: Y
type: bool
- name: PowerShellScriptBlocksReconstructAndUpload
description: |
Include EID 4104 - Creating Scriptblock text (Microsoft-Windows-PowerShell%4Operational.evtx), reconstruct and upload them as .ps1 files
default: Y
type: bool
- name: Option_PowerShellScriptBlocksXorApply
description: |
Should we apply XOR operation (Key: Y) on reconstructed PS ScriptBlocks when saving them temporarily on target system. May prevent them from deletion by AV.
default: Y
type: bool
- name: PowerShellEvents
description: |
Include events related to PowerShell activity on the system (Microsoft-Windows-PowerShell%4Operational.evtx, Windows PowerShell.evtx)
default: Y
type: bool
- name: Processes
description: |
Include events related to creation/termination of processess (Security.evtx, Microsoft-Windows-Sysmon%4Operational.evtxx)
default: Y
type: bool
- name: RDP
description: |
Include events related to RDP activity on the system (Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx, Security.evtx, Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx, Microsoft-Windows-TerminalServices-RDPClient%254Operational.evtx, Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx)
default: Y
type: bool
- name: ScheduledTasksCreationModification
description: |
Include events related to creation and modification of Scheduled Tasks (Microsoft-Windows-TaskScheduler%4Operational.evtx, Security.evtx)
default: Y
type: bool
- name: ScheduledTasksExecution
description: |
Include events related to execution of Scheduled Tasks(Microsoft-Windows-TaskScheduler%4Operational.evtx)
default: Y
type: bool
- name: Services
description: |
Include events related to Windows services (System.evtx, Security.evtx)
default: Y
type: bool
- name: SMBClientDestinations
description: |
Include events related to usage of SMB Client (outgoing SMB connections)
default: Y
type: bool
- name: SMBServerAccessAudit
description: |
Include events related to access to SMB Server (incoming SMB connections)
default: Y
type: bool
- name: SMBServerModifications
description: |
Include events related to SMB Server configuration
default: Y
type: bool
- name: WindowsFirewall
description: |
Include Windows Firewall (Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx, Security.evtx) events
default: Y
type: bool
- name: WinRM
description: |
Include events related to Windows Remote Management (Microsoft-Windows-WinRM%4Operational.evtx)
default: Y
type: bool
sources:
- name: Antivirus_Symantec
query: |
// Execute EvtxHussar
LET ZipInfo <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName= "EvtxHussar17", IsExecutable= False)
LET tmpdir <= tempdir()
LET Unpack <= SELECT * FROM unzip(filename=ZipInfo[0].FullPath, output_directory=tmpdir)
LET Binpath <= tmpdir + "\\EvtxHussar\\EvtxHussar.exe"
LET CWDpath <= tmpdir + "\\EvtxHussar\\"
LET outdir <= tempdir()
LET cnt <= int(int=0)
LET IncreaseCounter(c, cat_flag) = if(condition= cat_flag = "Y", then=c + 1, else=c)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=AntivirusSymantec)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=AntivirusWindowsDefender)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=AccountsUserRelatedOperations)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=AuditLogCleared)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=AuditPolicyChanges)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=BootupRestartShutdown)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=Logons)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=PowerShellScriptBlocksReconstructAndUpload)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=PowerShellEvents)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=Processes)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=RDP)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=ScheduledTasksCreationModification)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=ScheduledTasksExecution)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=Services)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=SMBClientDestinations)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=SMBServerAccessAudit)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=SMBServerModifications)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=WinRM)
LET cnt <= IncreaseCounter(c=cnt, cat_flag=WindowsFirewall)
LET cnt_max <= int(int=19)
LET AppendIfEnabled(arr, cat_flag, l2propername) = if(condition= cat_flag = "Y", then= arr + l2propername, else= arr )
LET EnabledL2Maps <= array(a="TO_DELETE")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=AntivirusSymantec, l2propername="AV_SymantecNetwork")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=AntivirusWindowsDefender, l2propername="AV_WindowsDefender")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=AccountsUserRelatedOperations, l2propername="AccountsUserRelatedOperations")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=AuditLogCleared, l2propername="AuditLogCleared")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=AuditPolicyChanges, l2propername="AuditPolicyChanged")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=BootupRestartShutdown, l2propername="General_BootupRestartShutdown")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=Logons, l2propername="LogonsUniversal")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=PowerShellScriptBlocksReconstructAndUpload, l2propername="PowerShellScriptBlock")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=PowerShellEvents, l2propername="PowerShellUniversal")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=Processes, l2propername="ProcessCreation")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=RDP, l2propername="RDPUniversal")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=ScheduledTasksCreationModification, l2propername="ScheduledTasks_CreationModification")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=ScheduledTasksExecution, l2propername="ScheduledTasks_Execution")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=Services, l2propername="ServicesUniversal")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=SMBClientDestinations, l2propername="SMB_ClientDestinations")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=SMBServerAccessAudit, l2propername="SMB_ServerAccessAudit")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=SMBServerModifications, l2propername="SMB_ServerModifications")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=WinRM, l2propername="WinRMUniversal")
LET EnabledL2Maps <= AppendIfEnabled(arr=EnabledL2Maps, cat_flag=WindowsFirewall, l2propername="FirewallUniversal")
LET HussArgs <= array(bin=Binpath,
outdir_flag="-o",
outdir_path=outdir,
format_flag="-f",
format_val="jsonl"
)
LET HussArgs <= if(condition= cnt < cnt_max, then= HussArgs + "--includeonly" + join(array=EnabledL2Maps[1:], sep=","), else= HussArgs)
LET HussArgs <= if(condition= Option_PowerShellScriptBlocksXorApply = "Y", then= HussArgs + "--scriptblockxor", else= HussArgs)
LET HussArgs <= HussArgs + LogsPath
LET _ <= log(message="EvtxHussar cmdline arguments: %v", arguments=HussArgs)
LET ExecuteHussar = SELECT log(message="EvtxHussar stdout: %s", args=[Stdout]) FROM execve(cwd=CWDpath, argv=HussArgs, sep="\n")
LET _ <= if(condition= cnt > 0, then= ExecuteHussar, else= log(message="As no plugins were selected, nothing to do."))
// Helper functions for sources
LET GetOutputFiles(category, jsonl_filename) = SELECT OSPath, Size FROM glob(globs=outdir + format(format="\\*\\%s\\%s", args=[category, jsonl_filename]))
LET PluginOutput(search_result) = SELECT * FROM foreach(
row= { SELECT * FROM search_result },
query= { SELECT * FROM parse_jsonl(filename=OSPath) ORDER BY EventTime DESC}
)
// Antivirus_Symantec
SELECT *, "EvtxHussar.Antivirus_Symantec" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="av", jsonl_filename="symantec_networkprotection.jsonl"))
- name: Antivirus_WindowsDefender
query: |
SELECT *, "EvtxHussar.Antivirus_WindowsDefender" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="av", jsonl_filename="windows_defender.jsonl"))
- name: Accounts_UsersRelatedOperations
query: |
SELECT *, "EvtxHussar.Accounts_UsersRelatedOperations" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="accounts", jsonl_filename="users_related_operations.jsonl"))
- name: Audit_LogCleared
query: |
SELECT *, "EvtxHussar.Audit_LogCleared" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="audit", jsonl_filename="log_cleared.jsonl"))
- name: Audit_PolicyChanges
query: |
SELECT *, "EvtxHussar.Audit_PolicyChanges" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="audit", jsonl_filename="policy_change.jsonl"))
- name: BootupRestartShutdown
query: |
SELECT *, "EvtxHussar.BootupRestartShutdown" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="general", jsonl_filename="bootup_restart_shutdown.jsonl"))
- name: Logons
query: |
SELECT *, "EvtxHussar.Logons" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="logons", jsonl_filename="logons.jsonl"))
- name: Powershell_Events
query: |
SELECT *, "EvtxHussar.Powershell_Events" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="powershell", jsonl_filename="powershell_events.jsonl"))
- name: Powershell_ScriptblocksSummary
query: |
SELECT *, "EvtxHussar.Powershell_ScriptblocksSummary" AS __Source FROM foreach(
row= { SELECT *, if(condition= Option_PowerShellScriptBlocksXorApply = "Y", then= Name[:-4], else=Name) AS FinalName, if(condition= Option_PowerShellScriptBlocksXorApply = "Y", then = xor(string=read_file(filename=OSPath), key='Y'), else = read_file(filename=OSPath)) AS Content FROM glob(globs=outdir + "\\*\\powershell\\scriptblocks\\*") },
query= { SELECT FinalName, upload(file=Content, accessor="data", name="C:\\evtxhussar_virtual_scriptblocks_directory\\" + FinalName).sha256 AS UploadSHA256, Size, humanize(bytes=Size) AS `Human Size`, Content[:100] AS `First 100 characters of script` FROM scope() }
)
- name: Processes
query: |
SELECT *, "EvtxHussar.Processes" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="processes", jsonl_filename="processes.jsonl"))
- name: RDP
query: |
SELECT *, "EvtxHussar.RDP" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="rdp", jsonl_filename="rdp.jsonl"))
- name: ScheduledTasks_CreationModification
query: |
SELECT *, "EvtxHussar.ScheduledTasks_CreationModification" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="scheduled_tasks", jsonl_filename="creation_modification.jsonl"))
- name: ScheduledTasks_Execution
query: |
SELECT *, "EvtxHussar.ScheduledTasks_Execution" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="scheduled_tasks", jsonl_filename="execution.jsonl"))
- name: Services
query: |
SELECT *, "EvtxHussar.Services" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="services", jsonl_filename="services.jsonl"))
- name: SMB_ClientDestinations
query: |
SELECT *, "EvtxHussar.SMB_ClientDestinations" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="smb", jsonl_filename="smb_client_destinations.jsonl"))
- name: SMB_ServerAccessAudit
query: |
SELECT *, "EvtxHussar.SMB_ServerAccessAudit" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="smb", jsonl_filename="smb_server_access_audit.jsonl"))
- name: SMB_ServerModifications
query: |
SELECT *, "EvtxHussar.SMB_ServerModifications" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="smb", jsonl_filename="smb_server_modifications.jsonl"))
- name: WinRM
query: |
SELECT *, "EvtxHussar.WinRM" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="winrm", jsonl_filename="winrm.jsonl"))
- name: WindowsFirewall
query: |
SELECT *, "EvtxHussar.WindowsFirewall" AS __Source FROM PluginOutput(search_result=GetOutputFiles(category="firewall", jsonl_filename="windows_firewall.jsonl"))