sbousseaden / evtx-attack-samples Goto Github PK
View Code? Open in Web Editor NEWWindows Events Attack Samples
Home Page: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
License: GNU General Public License v3.0
Windows Events Attack Samples
Home Page: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
License: GNU General Public License v3.0
I'm trying to create a winlogbeat to view logs in elk. I tried to follow the commands suggested in the Readme, but the evtx file keeps running, but does not load any percentage. Can you help me?
I'm trying to use some of these sample evtx files to test a new powershell tool, and I'm having trouble parsing them. It seems they may be corrupt and the event data/messages aren't formatted correctly?
For example, see the output I'm getting below where the process Hashes are showing as the "IntegrityLevel" instead of "Hashes". I don't have that same problem with sysmon evtx files I generate here. Any thoughts?
$events = Get-WinEvent -path c:\temp\evtx\exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -FilterXPath *[System[EventID=1]]
foreach ($event in $events){
write-host $event.Message
}
Process Create:
RuleName:
UtcTime: 2019-05-12 13:38:01.297
ProcessGuid: {365ABB72-21B9-5CD8-0000-0010FC002700}
ProcessId: 704
Image: C:\Windows\System32\calc.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
Description: Windows Calculator
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: "C:\Windows\System32\calc.exe"
CommandLine: c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\
CurrentDirectory: IEWIN7\IEUser
User: {365ABB72-1596-5CD8-0000-0020103A0100}
LogonGuid: 0x13a10
LogonId: 0x1
TerminalSessionId: 0
IntegrityLevel:
SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1
Hashes: {365ABB72-21B8-5CD8-0000-0010E4E82600}
ParentProcessGuid: 2964
ParentProcessId: 0
ParentImage: "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta"
ParentCommandLine: %22
Could you share the information about the scenarios and tools you used to generate these data, please? Or, you can share the full logs of one of these techniques?
I am trying to simulate real data to test a threat hunting system. Thanks for all.
issue with invalid signature, not identified as a valid evtx file
PS C:\Users\user\Downloads> C:\Tools\ir\kape\Modules\bin\EvtxECmd\EvtxECmd.exe -f .\dicovery_4661_net_group_domain_admins_target.evtx --csv C:\Users\user\Downloads\ --csvf dicovery_4661_net_group_domain_admins_target.csv
EvtxECmd version 1.0.0.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/evtx
Command line: -f .\dicovery_4661_net_group_domain_admins_target.evtx --csv C:\Users\user\Downloads\ --csvf dicovery_4661_net_group_domain_admins_target.csv
CSV output will be saved to C:\Users\user\Downloads\dicovery_4661_net_group_domain_admins_target.csv
Maps loaded: 393
Processing C:\Users\user\Downloads\dicovery_4661_net_group_domain_admins_target.evtx...
C:\Users\user\Downloads\dicovery_4661_net_group_domain_admins_target.evtx is not an evtx file! Message: Invalid signature! Expected 'ElfFile' Skipping...
any help would be appreciated
thank you
Hi sbousseaden,
First thanks a lot for sharing your work. I guess it hours and hours of lab.
Your repo is a real good idea for blueteams and SOC.
You give a nice try to cover the ATTA&CK matrix but some artefacts may have a different format than logs and evtx. For example, it can be PCAP files for an network scan / fingerprint.
In addition, it can be interesting when testing to know to generate those events.
I share sources for pentesting cheatsheets which can help covering some TTPs.
https://www.hackingarticles.in/penetration-testing/
http://projects.webappsec.org/w/page/13246978/Threat%20Classification (in the references)
I would be please to contribute to this repo.
BR
Would it be possible to get a dump of all of the logs, not just the ones with the attacks? The data is really useful as is, but having the full set of logs to tie together the benign and the attacker behaviors would be great for my use case.
Hey guys,
Great work!
Just wanted to confirm, what is the license associated this project. I wanted to use these event logs for analysis in my personal project, so just wanted to be sure that there is no trouble using these logs for analysis.
Thanks.
Do you have any advice regarding how to contribute new evtx samples to this repo? For instance, is there an easy way to know whether a set of event logs is already covered by another sample in the repo, making it not really worth adding? And do you have a set of event IDs that aren't interesting and should always be excluded from new samples? Thank you!
Hi,
I have try to match sigma to this evtx.
In this file the malicious command is in ParentCommandLine
but when I try on a windows 10 it is in CommandLine
.
Is it a special case or a bad capture ?
Thanks
here is the spoolfool evtx
spoolfool.zip
Greetings! Thank you so much for providing all these samples. I've been looking to map out all Sysmon events for EvtxECmd for a while and this provides almost every event ID I need to complete that! I parsed the entire directory of the evtx files in this repo and it appears event ID's 9, 14, 16, and 255 (not quite as important as it's a Sysmon error event) are not present in any of these logs. Full list here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events.
Is there any chance you can keep a casual eye out for those events in any future logs you come across in your travels? I'd appreciate it for the purpose of my research. Here's a visual of what I'm seeing on my end.
Thanks again for your work!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.