Comments (8)
Crypt0-M3lon
commented on August 14, 2024
3
Thanks you for the very clear technical explanation. I think it would be a better solution to have the same output for the same log (from WEF or not) even if the binxml representation is slightly different, in the event viewer they basically look the same. Having different behavior is making logs exploitation difficult.
from evtx.
Crypt0-M3lon
commented on August 14, 2024
2
Why not the following json that is the output for the non-wec EVTX file? I think it's more representative of the orginal XML
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"Binary": null,
"Data": {
"#text": [
"Set-Mailbox",
"-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:[email protected]\"",
"ave.local/Users/Administrateur",
"S-1-5-21-186559946-3925841745-111227986-500",
"S-1-5-21-186559946-3925841745-111227986-500",
"Remote-ManagementShell-Unknown",
"5668 w3wp#MSExchangePowerShellAppPool",
"",
"5",
"00:00:26.0389557",
"Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »",
"",
"",
"",
"",
"",
"",
"False",
"",
"0 objects execution has been proxied to remote server.",
"",
"",
"0",
"ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1",
"ServicePlan:;IsAdmin:True;",
"",
"fr-FR"
]
}
},
"System": {
"Channel": "MSExchange Management",
"Computer": "WEC.ave.local",
"EventID": {
"#attributes": {
"Qualifiers": 16384
},
"#text": 1
},
"EventRecordID": 3229,
"Keywords": "0x80000000000000",
"Level": 4,
"Provider": {
"#attributes": {
"Name": "MSExchange CmdletLogs"
}
},
"Security": null,
"Task": 1,
"TimeCreated": {
"#attributes": {
"SystemTime": "2021-11-19T16:52:33.833733Z"
}
}
}
}
}
from evtx.
omerbenamram
commented on August 14, 2024
1
Hi, thanks for letting me know.
This is because EventData Data nodes usually either contain a Name key, or appear by their own.
For some reason when the event was passed through WEF in your case, it split the Data node into many smaller ones.
In XML it's legal to have many nodes with the same name, but this is illegal in JSON so the parser outputs them with a postfix.
Changing the parser to treat Data in this case like any other node produces an output like this:
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"Data": "fr-FR",
"Data_1": "Set-Mailbox",
"Data_10": "Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »",
"Data_11": "False",
"Data_12": "0 objects execution has been proxied to remote server.",
"Data_13": "0",
"Data_14": "ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1",
"Data_15": "ServicePlan:;IsAdmin:True;",
"Data_2": "-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:[email protected]\"",
"Data_3": "ave.local/Users/Administrateur",
"Data_4": "S-1-5-21-186559946-3925841745-111227986-500",
"Data_5": "S-1-5-21-186559946-3925841745-111227986-500",
"Data_6": "Remote-ManagementShell-Unknown",
"Data_7": "5668 w3wp#MSExchangePowerShellAppPool",
"Data_8": "5",
"Data_9": "00:00:26.0389557"
},
"System": {
"Channel": "MSExchange Management",
"Computer": "WEC.ave.local",
"EventID": {
"#attributes": {
"Qualifiers": "16384"
},
"#text": "1"
},
"EventRecordID": "3229",
"Keywords": "0x80000000000000",
"Level": "4",
"Provider": {
"#attributes": {
"Name": "MSExchange CmdletLogs"
}
},
"Security": null,
"Task": "1",
"TimeCreated": {
"#attributes": {
"SystemTime": "2021-11-19T16:52:33.833733500Z"
}
}
}
}
}
I think this is a fair representation of the XML, what do you think?
from evtx.
omerbenamram
commented on August 14, 2024
The event log viewer simply goes and prints everything that is Data to the log output. So having
<EventData>
<Data> A String </Data>
</EventData>
and
<EventData>
<Data> A </Data>
<Data> String </Data>
</EventData>
Looks the same textually - but I'm not sure whether can be parsed the same.
Manipulating the JSON output is OK by me - since it's an interpretation on the xml structure and has no one-to-one representation, but I don't think we can do anything about the XML.
I could have Data be concatenated when the Name is empty when outputting to JSON, I'll see if its simple enough.
from evtx.
omerbenamram
commented on August 14, 2024
It would look like this:
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"Data": {
"#text": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:[email protected]\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR"
}
},
"System": {
"Channel": "MSExchange Management",
"Computer": "WEC.ave.local",
"EventID": {
"#attributes": {
"Qualifiers": "16384"
},
"#text": "1"
},
"EventRecordID": "3229",
"Keywords": "0x80000000000000",
"Level": "4",
"Provider": {
"#attributes": {
"Name": "MSExchange CmdletLogs"
}
},
"Security": null,
"Task": "1",
"TimeCreated": {
"#attributes": {
"SystemTime": "2021-11-19T16:52:33.833733500Z"
}
}
}
}
}
from evtx.
forensicmatt
commented on August 14, 2024
Why not the following json that is the output for the non-wec EVTX file? I think it's more representative of the orginal XML
{ "Event": { "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, "EventData": { "Binary": null, "Data": { "#text": [ "Set-Mailbox", "-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:[email protected]\"", "ave.local/Users/Administrateur", "S-1-5-21-186559946-3925841745-111227986-500", "S-1-5-21-186559946-3925841745-111227986-500", "Remote-ManagementShell-Unknown", "5668 w3wp#MSExchangePowerShellAppPool", "", "5", "00:00:26.0389557", "Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »", "", "", "", "", "", "", "False", "", "0 objects execution has been proxied to remote server.", "", "", "0", "ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1", "ServicePlan:;IsAdmin:True;", "", "fr-FR" ] } }, "System": { "Channel": "MSExchange Management", "Computer": "WEC.ave.local", "EventID": { "#attributes": { "Qualifiers": 16384 }, "#text": 1 }, "EventRecordID": 3229, "Keywords": "0x80000000000000", "Level": 4, "Provider": { "#attributes": { "Name": "MSExchange CmdletLogs" } }, "Security": null, "Task": 1, "TimeCreated": { "#attributes": { "SystemTime": "2021-11-19T16:52:33.833733Z" } } } } }
I like the array approach better than a catted string. I will see if I can make a PR to implement this.
from evtx.
Crypt0-M3lon
commented on August 14, 2024
Hello, any news about this issue?
from evtx.
Crypt0-M3lon
commented on August 14, 2024
Wo, I was about to make a PR with the same kind of implementation but probably less proper, thank you! :D
Will you publish a new version of the tool (and one of the python binding)?
from evtx.
Related Issues (20)
- pip3 install evtx lead to "ERROR: Command errored out with exit status 1:" HOT 2
- how to use "descending order" parser
- Parser fails if last_event_record_id and free_space_offset are set wrong in the Chunk Header
- # in JSON field name prevents import in GCP Bigquery HOT 2
- Error while parsing .evtx files with unknown file header flags and chunk flags
- 5111875 is an unknown value for bool, coercing to `true`
- [Question] Alter JSON output HOT 5
- thread 'main' panicked at 'invalid or out-of-range date' HOT 1
- macos 0.7.2 HOT 1
- Warnings will become errors
- Command line flag to skip printing "#attributes" while taking output as JSON
- thread 'main' panicked at 'attempt to subtract with overflow' in `src/binxml/tokens.rs:98:24`
- Problems parsing evtx files originating from NetApp HOT 2
- error on evtx files for header and hexdump
- tailing HOT 2
- Any options to exclude the record # and xml version lines? HOT 1
- RecordId should be public
- Passing a file via stdin?
- wrong ordering in records returned by records() iterator HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from evtx.