ahmedkamal1432 / evilize Goto Github PK

The ReadMe file of WinEvent needs to be in Table and keep the sub-category as it is.

After parsing the logs it outputs a grid view of the number of parsed logs.
We need to export this info in CSV to be able to check it later not only in the live investigation.

Thanks to TM PH IR Team for this feature

there's a missing event id 4697 which is installed services that are in security log. you have only parsed the installed services on the system event log whose event id is 7045

• Need to add some screenshots.
• Create a logo
• using a template: https://github.com/othneildrew/Best-README-Template

When the event logs folder path contains a space like "C:\Users\Test\Downloads\my folder\logs" it cannot parse any file

The merging process of CSV files to Excel sheet may cause warnings and errors.
we need to do an exception handling with proper messages.

This should be helpful in cases where cmd.exe is executing a malware.

This code should only accept to run on logs in one folder that is hardcoded in the code, please change it to accept the log's path as input

Please clean up these folders to only include csv output files only

please refer to this answer https://stackoverflow.com/questions/49324636/multiple-csv-files-into-a-xlsx-file-but-different-sheets-using-powershell

need to know in which stage the parsing is, and after finishing all the parsing print the statistics

Please add the parameter -ErrorAction SilentlyContinue as advised in this answer
https://community.spiceworks.com/topic/2081534-get-winevent-no-events-were-found-that-match-the-specified-selection-criteria

When Event log path has spaces, Powershell will consider it a new parameter
Need to add it in the Readme

No Need to import CSV for just counting the lines is an overload no need for it
and it generates errors if the CSV contains malicious code

While running Evilize on multiple sets of events logs, it exports the parsed files in every set on each folder but with the same name.
So if you want to open the same CSV in different sets the application refuses as they have the same name.
we need to export the hostname from one of the logs and concatenate it to the CSV and excel sheet names

This shouldn't generate any log for users as there is no need to have evt file if evtx already there.

Users can add an optional parameter called "--no-security" to choose not to parse any log from Security.evtx file
This can be a time optimized option to get the data from other sources which are usually smaller in size

It will be nice to create a Logo for this tool

When the PowerShell language mode is set to be ConstrainedLanguage, it denies the installation or usage of a package like Import-Excel.
We need to find an alternative to it or include it locally in the app files

It will be better to rename branches by functions, not by the owner
like logparser and winevent.

The printing message is disabled but it should be updated

Error handling should be present when some event logs file is not found.
Then listing statistics

Implement SANS source event IDs

As all parsing functions are independent so it will be easy to run it on multiple threads

The Paths are created as variables but not used in code, it will be good to initialize them and use them as variables in functions

For compatibility with Linux and integration with other tools written in Python, we create a Python file that can execute Evilize.ps1 and pass arguments to it.

create .gitignore file to ignore changes in results folder

Need to print the statistics of found logs in a Table, may be using Grid-view

I have tested the code against logs that contains many scheduled task logs but couldn't parsing it

Usually, we export security and system logs in evt format we need to convert them to evtx usting this command

wevtutil epl $src_file $dst_file /lf:true

Given a start time and end time we should Evilize event logs according to those times

helper file should contain only functions.
and all logic and function calls should be shifted to main.ps1

The location of the function files should be relative to the execution path as this code will only work if I put the code in "D:\EJUST\Internships\TMinternship\evilize_project"

The main.ps1 file is missing in your branch

After running the code many folders are created in the main folder
Some are empty and others are containing the CSV output

The main folder should be clean and all the csv files should be exported in results folder

Error when Counting using import csv as the file contain malicious data or text
this error appeared while testing on 508 SANS logs

Segment the functions calls based on the SANS poster to easily choose who want to call or comment