Using data from the Lone Wolf Scenario, I extracted some (not all) of the Windows Event Log files from the image, and used the following command line to run EvtxECmd against this subset of data:
evtxecmd -d F:\lonewolf\data\evtx --csv F:\lonewolf\data\evtx --csvf output.csv
Not only was the output file generated, but a lot of data flew by in the command prompt while the command was processing. I thought that this might be useful information, so I deleted the output file and re-ran the command:
evtxecmd -d F:\lonewolf\data\evtx --csv F:\lonewolf\data\evtx --csvf output.csv > F:\lonewolf\data\evtx\evtxecmd_trace.txt
Once the command prompt returned, I had the output file, as well as the 'trace' file that contained all of the information provided via the prompt. A good deal of it was very useful, such as metrics based on the event IDs (albeit without the event sources, or some other unique identifier) and the count of said event IDs found in that log file. This can be very useful information, and as such, I'd recommend collecting it as part of your investigative process, and keeping it alongside your case notes.
As to the output of the command, the output file contained 31,956 entries; by comparison, Logparser (run via wevtx.bat) threw an error about not being able to open a file (it didn't specify which one), and produced output with 24,770 entries. Clearly, incorporating EvtxECmd into your investigative process will provide a more complete view of the available data, from a total number of events perspective.
However, let's look at some differences in the actual output. I've always been fascinated by the use of BITS for downloading (and uploading) files. As there are a number of BITS Client events available, let's look at a simple event, such as event ID 3.
The output from wevtx.bat, using Logparser, looks like this (i.e., TLN format):
1522194038|EVTX|DESKTOP-PM6C56D||Microsoft-Windows-Bits-Client/3;C:\Users\jcloudy\AppData\Local\Temp\{33340A58-DC7C-4FBB-82A9-24EFA8F8C38D}-gsync64.msi,{50A0E739-31CE-4B89-8972-DE76CC505D31},DESKTOP-PM6C56D\jcloudy,C:\Program Files (x86)\Google\Update\GoogleUpdate.exe,9004
279,279,2018-03-30 21:09:16.6870673,3,4,Microsoft-Windows-Bits-Client,Microsoft-Windows-Bits-Client/Operational,3636,11240,DESKTOP-PM6C56D,S-1-5-18,,,,,,,,,,,F:\lonewolf\data\evtx\Microsoft-Windows-Bits-Client%4Operational.evtx
So, there you go. Once the appropriate map files are in place and the event description available as part of the output, given the header of the output file, it will be relatively easy to write a script that will translate the output of the tool into something easily incorporated directly into a timeline, for direct inclusion into an analysis process.
For your analysis process, Eric includes map files (read Eric's info for more detail...)...when I ran the tool, there were 52 map files available. Eric provides a description of how to create your own map files.
A note on using Eric's CLI tools: whenever I install a system, one of my first configuration steps is to modify the command prompt to a white background with black letters. This makes things much easier for screen captures, particularly for books and presentations. When running Eric's CLI tools for the first time, I'll get a lot of blank lines in the output, and highlighting or selecting the contents of the screen does not reveal the underlying text. I reached to Eric and he said that I needed to get the nlog.config file from his site, and include it in the directory with each of the command line tools. I simply created a folder for Eric's tools, and put one copy of the file alongside all of the other tools.
Resources
Link to EvtxECmd Maps
No comments:
Post a Comment