sbousseaden / evtx-attack-samples Goto Github PK

I'm trying to create a winlogbeat to view logs in elk. I tried to follow the commands suggested in the Readme, but the evtx file keeps running, but does not load any percentage. Can you help me?

I'm trying to use some of these sample evtx files to test a new powershell tool, and I'm having trouble parsing them. It seems they may be corrupt and the event data/messages aren't formatted correctly?
For example, see the output I'm getting below where the process Hashes are showing as the "IntegrityLevel" instead of "Hashes". I don't have that same problem with sysmon evtx files I generate here. Any thoughts?

$events = Get-WinEvent -path c:\temp\evtx\exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -FilterXPath *[System[EventID=1]]

foreach ($event in $events){
write-host $event.Message
}

Process Create:
RuleName:
UtcTime: 2019-05-12 13:38:01.297
ProcessGuid: {365ABB72-21B9-5CD8-0000-0010FC002700}
ProcessId: 704
Image: C:\Windows\System32\calc.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
Description: Windows Calculator
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: "C:\Windows\System32\calc.exe"
CommandLine: c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\
CurrentDirectory: IEWIN7\IEUser
User: {365ABB72-1596-5CD8-0000-0020103A0100}
LogonGuid: 0x13a10
LogonId: 0x1
TerminalSessionId: 0
IntegrityLevel: SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1
Hashes: {365ABB72-21B8-5CD8-0000-0010E4E82600}
ParentProcessGuid: 2964
ParentProcessId: 0
ParentImage: "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta"
ParentCommandLine: %22

Could you share the information about the scenarios and tools you used to generate these data, please? Or, you can share the full logs of one of these techniques?
I am trying to simulate real data to test a threat hunting system. Thanks for all.

issue with invalid signature, not identified as a valid evtx file

PS C:\Users\user\Downloads> C:\Tools\ir\kape\Modules\bin\EvtxECmd\EvtxECmd.exe -f .\dicovery_4661_net_group_domain_admins_target.evtx --csv C:\Users\user\Downloads\ --csvf dicovery_4661_net_group_domain_admins_target.csv
EvtxECmd version 1.0.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/evtx

Command line: -f .\dicovery_4661_net_group_domain_admins_target.evtx --csv C:\Users\user\Downloads\ --csvf dicovery_4661_net_group_domain_admins_target.csv

CSV output will be saved to C:\Users\user\Downloads\dicovery_4661_net_group_domain_admins_target.csv

Maps loaded: 393

Processing C:\Users\user\Downloads\dicovery_4661_net_group_domain_admins_target.evtx...
C:\Users\user\Downloads\dicovery_4661_net_group_domain_admins_target.evtx is not an evtx file! Message: Invalid signature! Expected 'ElfFile' Skipping...

any help would be appreciated

thank you

Hi sbousseaden,

First thanks a lot for sharing your work. I guess it hours and hours of lab.

Your repo is a real good idea for blueteams and SOC.
You give a nice try to cover the ATTA&CK matrix but some artefacts may have a different format than logs and evtx. For example, it can be PCAP files for an network scan / fingerprint.

In addition, it can be interesting when testing to know to generate those events.
I share sources for pentesting cheatsheets which can help covering some TTPs.

https://www.hackingarticles.in/penetration-testing/
http://projects.webappsec.org/w/page/13246978/Threat%20Classification (in the references)

I would be please to contribute to this repo.

BR

Would it be possible to get a dump of all of the logs, not just the ones with the attacks? The data is really useful as is, but having the full set of logs to tie together the benign and the attacker behaviors would be great for my use case.

Hey guys,

Great work!
Just wanted to confirm, what is the license associated this project. I wanted to use these event logs for analysis in my personal project, so just wanted to be sure that there is no trouble using these logs for analysis.

Thanks.

Do you have any advice regarding how to contribute new evtx samples to this repo? For instance, is there an easy way to know whether a set of event logs is already covered by another sample in the repo, making it not really worth adding? And do you have a set of event IDs that aren't interesting and should always be excluded from new samples? Thank you!

Hi,
I have try to match sigma to this evtx.
In this file the malicious command is in ParentCommandLine but when I try on a windows 10 it is in CommandLine.

Is it a special case or a bad capture ?

Thanks

here is the spoolfool evtx
spoolfool.zip

Greetings! Thank you so much for providing all these samples. I've been looking to map out all Sysmon events for EvtxECmd for a while and this provides almost every event ID I need to complete that! I parsed the entire directory of the evtx files in this repo and it appears event ID's 9, 14, 16, and 255 (not quite as important as it's a Sysmon error event) are not present in any of these logs. Full list here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events.

Is there any chance you can keep a casual eye out for those events in any future logs you come across in your travels? I'd appreciate it for the purpose of my research. Here's a visual of what I'm seeing on my end.

Thanks again for your work!