Hunting Evil by parsing Windows Event Logs files
Explore the docs »
Report Bug
·
Request Feature
Table of Contents
An incident response tool parses Windows Event Logs to export infection-related logs across many log files. Mainly following Hunt Evil SANS Poster to choose related events.
what's new:
- One command to analyze all different infection-related Event logs files.
- One Excel file for every SANS catagory with multiple sheets for every event ID
- Having a map of analysis based on different categories based on SANS Poster.
- Tables of statistics of the number of indicators in every infections vector.
- Export useful events with important attributes in CSV format for extra manual analysis.
- Analyizing EVT and EVTX files
All Parsers are build with 2 different techniques:
- LogParser
- This is the default option as it is a time-efficient and stable option.
- WinEvent
- This is a flexible and programmable option as you can add your own code for extra analysis.
- Use the
-winevent
parameter to parse the logs by WinEvent
- Clone the repo Or download it as Zip file then extract it
git clone https://github.com/AhmedKamal1432/Evilize.git
- Change Directory to the Repo Folder
- Run the .\Evilize.ps1 with the path to Events logs files
.\Evilize.ps1 "C:\Users\username\Downloads\Events\EventLogs\" -security
- Don't run it on the local log files in "C:\Windows\System32\winevt\Logs"
- The tool creates a
Results
folder for csv/xlsx files inside the Event logs path. - For using Winevent insteed of logparser to parse the same logs, use the
winevent
parameter
.\Evilize.ps1 -winevent "C:\Users\username\Downloads\Events\EventLogs\"
- For more examples, please refer to the Wiki
- [v1.1.0] Implement Source events parsers
- [v1.2.0] Multithreaded parsers
- [v1.2.0] Date/Time filters
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Distributed under the GPL-3.0 License. See LICENSE.txt
for more information.