Friday, December 4, 2020

Let's combine EvtxEcmd with LogonTracer

This blog post aims to show how to combine EvtxECmd (v0.6.0.3) with LogonTracer (v1.5.0) during the analysis of Windows Event Log events.

To have some data to work on, download for instance the Windows EVTX Samples shared by Samir @SBousseaden on GitHub.

Extract the EVTX files to a temporary location like C:\TEMP\EVTX-ATTACK-SAMPLES-master and use EvtxECmd to extract only the events that are currently supported by LogonTracer.

EvtxECmd.exe -d . --xml . --xmlf evtxecmd.xml --inc 4624,4625,4768,4769,4776,4672

Now we need to install LogonTracer. For convenience, I'll install the docker version of the tool on a REMnux v7 VM.

sudo apt-get update && sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - && sudo apt-key fingerprint 0EBFCD88 && sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" && sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io && sudo docker pull jpcertcc/docker-logontracer && sudo usermod -aG docker remnux

From the terminal in REMnux, launch LogonTracer:

docker run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=127.0.0.1 jpcertcc/docker-logontracer

Open the browser on REMnux and go to http://127.0.0.1:8080/.
Scroll down till you see on the left the button "Upload Event Log". Click on it, select "XML" in the next window that appears and choose the evtxecmd.xml file that we created before. 

Once you click "Upload", the parsing fails due to an error saying "This file is not XML format".


The XML structure of evtxecmd.xml has to be tweaked a little in order to work with LogonTracer. After comparing it with an XML file created using Microsoft Event Viewer, and based on my tests, in order to make the file work you need to:
  • Add the following header: <?xml version="1.0" encoding="utf-8" standalone="yes"?><Events>
  • Add this footer: </Events>
  • Replace all the <Event> tags with <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
  • Merge all lines into one
  • Remove all the spaces between ">" and "<"

We can use PowerShell to automate the above steps. 

$evtxecmd = "C:\TEMP\EVTX-ATTACK-SAMPLES-master\evtxecmd.xml";$logontracer = '<?xml version="1.0" encoding="utf-8" standalone="yes"?><Events>' + [System.IO.File]::ReadLines($evtxecmd) + "</Events>";$logontracer = ($logontracer -join ("")) -replace "<Event>","<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>" -replace ">[ ]*<","><";$logontracer | Out-File logontracer.xml -Encoding utf8

Let's try again with LogonTracer and this time the parsing succeeds!



[UPDATE 2020-12-07]: Just published a script (ConvertTo-LogonTracer.ps1) that can do the conversion, searches for keywords and splits a large input file to smaller chunks. Edit the settings inside the script before running it. Give it a try! The script is on my GitHub repo: https://github.com/forensenellanebbia/powershell-scripts/blob/master/ConvertTo-LogonTracer.ps1


References

No comments:

Post a Comment