Thursday, May 02, 2019


Eric Zimmerman recently released EvtxECmd, a nifty Windows Event Log file parser that bypasses the Windows API.  There are a lot of advantages to a tool such as this; specifically, by bypassing the API, it doesn't succumb to the 'hiccups' that may occur as a result of files that weren't closed properly, or for some other reason, isn't formatted in a manner the API agrees with.  This is something I've seen with LogParser, as it uses the Windows API, and will fail to parse a file if there's something 'amiss'.

Using data from the Lone Wolf Scenario, I extracted some (not all) of the Windows Event Log files from the image, and used the following command line to run EvtxECmd against this subset of data:

evtxecmd -d F:\lonewolf\data\evtx --csv F:\lonewolf\data\evtx --csvf output.csv

Not only was the output file generated, but a lot of data flew by in the command prompt while the command was processing.  I thought that this might be useful information, so I deleted the output file and re-ran the command:

evtxecmd -d F:\lonewolf\data\evtx --csv F:\lonewolf\data\evtx --csvf output.csv > F:\lonewolf\data\evtx\evtxecmd_trace.txt

Once the command prompt returned, I had the output file, as well as the 'trace' file that contained all of the information provided via the prompt.  A good deal of it was very useful, such as metrics based on the event IDs (albeit without the event sources, or some other unique identifier) and the count of said event IDs found in that log file.  This can be very useful information, and as such, I'd recommend collecting it as part of your investigative process, and keeping it alongside your case notes.

As to the output of the command, the output file contained 31,956 entries; by comparison, Logparser (run via wevtx.bat) threw an error about not being able to open a file (it didn't specify which one), and produced output with 24,770 entries. Clearly, incorporating EvtxECmd into your investigative process will provide a more complete view of the available data, from a total number of events perspective.

However, let's look at some differences in the actual output.  I've always been fascinated by the use of BITS for downloading (and uploading) files.  As there are a number of BITS Client events available, let's look at a simple event, such as event ID 3.

The output from wevtx.bat, using Logparser, looks like this (i.e., TLN format):

1522194038|EVTX|DESKTOP-PM6C56D||Microsoft-Windows-Bits-Client/3;C:\Users\jcloudy\AppData\Local\Temp\{33340A58-DC7C-4FBB-82A9-24EFA8F8C38D}-gsync64.msi,{50A0E739-31CE-4B89-8972-DE76CC505D31},DESKTOP-PM6C56D\jcloudy,C:\Program Files (x86)\Google\Update\GoogleUpdate.exe,9004

The output directly from EvtxECmd for a similar event record looks like this:

279,279,2018-03-30 21:09:16.6870673,3,4,Microsoft-Windows-Bits-Client,Microsoft-Windows-Bits-Client/Operational,3636,11240,DESKTOP-PM6C56D,S-1-5-18,,,,,,,,,,,F:\lonewolf\data\evtx\Microsoft-Windows-Bits-Client%4Operational.evtx

In the case of the EvtxECmd output, there seems to be some important information missing. Talking to Eric about this, he said that in order to get the additional details (i.e., strings, event description) in the CSV output, you need to have a map file for the event.

So, there you go.  Once the appropriate map files are in place and the event description available as part of the output, given the header of the output file, it will be relatively easy to write a script that will translate the output of the tool into something easily incorporated directly into a timeline, for direct inclusion into an analysis process.

For your analysis process, Eric includes map files (read Eric's info for more detail...)...when I ran the tool, there were 52 map files available.  Eric provides a description of how to create your own map files.

A note on using Eric's CLI tools: whenever I install a system, one of my first configuration steps is to modify the command prompt to a white background with black letters.  This makes things much easier for screen captures, particularly for books and presentations.  When running Eric's CLI tools for the first time, I'll get a lot of blank lines in the output, and highlighting or selecting the contents of the screen does not reveal the underlying text.  I reached to Eric and he said that I needed to get the nlog.config file from his site, and include it in the directory with each of the command line tools.  I simply created a folder for Eric's tools, and put one copy of the file alongside all of the other tools.

Link to EvtxECmd Maps

No comments: