This blog post aims to show how to combine EvtxECmd (v0.6.0.3) with LogonTracer (v1.5.0) during the analysis of Windows Event Log events.
To have some data to work on, download for instance the Windows EVTX Samples shared by Samir @SBousseaden on GitHub.
Extract the EVTX files to a temporary location like C:\TEMP\EVTX-ATTACK-SAMPLES-master.
Use EvtxECmd to extract only the events that are currently supported by LogonTracer: this is especially useful when dealing with cases that contain GBs of EVTX files from different systems and you want to load into LogonTracer just the event IDs that this tool can interpret, speeding up the whole process.
EvtxECmd.exe -d <PATH> --xml <PATH> --xmlf evtxecmd.xml --inc 4624,4625,4768,4769,4776,4672
Now we need to install LogonTracer. For convenience, I'll install the docker version of the tool on a REMnux v7 VM which runs Ubuntu 20.04. You may need to increase the amount of memory assigned to the VM (at least 4 GB).
sudo apt-get update && sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - && sudo apt-key fingerprint 0EBFCD88 && sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" && sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io && sudo docker pull jpcertcc/docker-logontracer && sudo usermod -aG docker remnux
From the terminal in REMnux, launch LogonTracer:
docker run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=127.0.0.1 jpcertcc/docker-logontracer
Open the browser on REMnux and go to: http://127.0.0.1:8080/
Scroll down at the very bottom, till you see on the left the button "Upload Event Log".
Click on it and:
- select "XML" in the next window that appears
- set the time zone
- choose the evtxecmd.xml file that we created before.
Once you click "Upload", the parsing fails due to an error saying "This file is not XML format".
- Add the following header: <?xml version="1.0" encoding="utf-8" standalone="yes"?><Events>
- Add this footer: </Events>
- Replace all the <Event> tags with <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- Merge all lines into one
- Remove all the spaces between ">" and "<"
We can use PowerShell to automate the above steps.
$evtxecmd = "C:\TEMP\EVTX-ATTACK-SAMPLES-master\evtxecmd.xml";$logontracer = '<?xml version="1.0" encoding="utf-8" standalone="yes"?><Events>' + [System.IO.File]::ReadLines($evtxecmd) + "</Events>";$logontracer = ($logontracer -join ("")) -replace "<Event>","<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>" -replace ">[ ]*<","><";$logontracer | Out-File logontracer.xml -Encoding utf8
Let's try again with LogonTracer and this time the parsing succeeds!
[UPDATE 2020-12-07]: Just published a script (ConvertTo-LogonTracer.ps1) that can do the conversion, searches for keywords and splits a large input file to smaller chunks. Edit the settings inside the script before running it. Give it a try! The script is on my GitHub repo: https://github.com/forensenellanebbia/powershell-scripts/blob/master/ConvertTo-LogonTracer.ps1
References
No comments:
Post a Comment